Re: How to create a subsearch with multiple result...

trucall · ‎06-12-2019

Hi,

I've a question about sub search, I'm probably misunderstanding docs and other posts.

This is my search:

index=MyIndex [ search index=MyIndex host=as-x | rex " info about (?[A-Z0-9]+)"| rename objectId as search  ] stringFilter

The subsearch, executed as a normal search, produce many results, so many objectId.

My expectations is that the final search is like this below:

index=MyIndex (objectId-1 OR objectId-2 OR objectId-3)  stringFilter

The behavior is different, only one objectId is used to search and the final search is similar to this:

index=MyIndex (objectId-1)  stringFilter

I don't understand why and what I need to change in order to process all objects of subsearch resultset.

Thanks for any kind help

Marcello

woodcock · ‎06-15-2019

Yo mcfly, @trucall, we've got answers for you, did anything work?

woodcock · ‎06-12-2019

You are taking over too much control and doing it all wrong. Start with this:

index=MyIndex host=as-x | rex " info about (?[A-Z0-9]+)" | stats count BY objectId

See what this produces and then switch to this:

index=MyIndex host=as-x | rex " info about (?[A-Z0-9]+)" | stats count BY objectId | fields - count | format

See what this produces and then switch to this:

index=MyIndex host=as-x | rex " info about (?[A-Z0-9]+)" | stats count BY objectId | fields - count | format "(" "" "" "" "OR" ")" | rex field=search mode=sed "s/objectId =//g"

See what this produces and then switch to this:

index=MyIndex [ search index=MyIndex host=as-x | rex " info about (?[A-Z0-9]+)" | stats count BY objectId | fields - count | format "(" "" "" "" "OR" ")" | rex field=search mode=sed "s/objectId =//g" ] stringFilter

FrankVl · ‎06-13-2019

Using format will result in the subsearch returning something like (objectId="123" OR objectId="456"), which wont work given that objectId apparently is not an extracted field. He wants the subsearch to only return the values, to then work as a string filter.

woodcock · ‎06-13-2019

Ah, based on this clarification, I have modified my original answer above.

FrankVl · ‎06-13-2019

I trust you meant | rex field=search mode=sed "s/objectId=//g" 🙂

woodcock · ‎06-14-2019

ARGH! Yes, you are right (I edited and fixed that, too). I was using a run-anywhere search to test but forgot to convert that part when I posted the answer. Thank you for grading my papers.

FrankVl · ‎06-12-2019

Probably because your subsearch does not have any transforming commands. I think the following should work:

index=MyIndex [ search index=MyIndex host=as-x | rex " info about (?<objectId>[A-Z0-9]+)"| stats values(objectId) as search | eval search = mvjoin(search," OR ") ] stringFilter

Note: if you make sure objectId is properly extracted (so you don't need rex for it), you can simply do:

index=MyIndex [ search index=MyIndex host=as-x | fields objectId | dedup objectId | format ] stringFilter

How to create a subsearch with multiple results?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

How to create a subsearch with multiple results?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases