Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use a sub-search result as table fields?

nextpart
Explorer
‎07-28-2022 02:15 AM

I am trying to use a search to find fields that I want to use in another search as a table field.

The first search should return all fields that are used in a datamodel. This looks like this:

 

 

| datamodel "Authentication" 
| spath output=foo path=objects{}
| spath input=foo output=calc_field path=calculations{}.outputFields{}.displayName
| spath input=foo output=field path=fields{}.displayName
| eval fields = mvappend(calc_field , field)
| mvexpand fields
| table fields

 

 

 

 


Then I want to use the list of fields in the table command. I do this for the reason to be able to check the coverage of the CIM fields in the search. Unfortunately, so far without success, so I am grateful for all ideas and any kind of input.

My first guess was something like:

 

 

index="main" sourcetype="XmlWinEventLog" tag="authentication"
| table [
   | datamodel "Authentication" 
   | spath output=foo path=objects{}
   | spath input=foo output=calc_field path=calculations{}.outputFields{}.displayName
   | spath input=foo output=field path=fields{}.displayName
   | eval fields = mvappend(calc_field , field)
   | mvexpand fields
   | format   "" "" "," "" "" ""
   | rex mode=sed field=search "s/fields=//g"
   | rename search as table
]

 

 

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-28-2022 04:16 AM

Sorry, I missed a line

index="main" sourcetype="XmlWinEventLog" tag="authentication"
| table [
   | datamodel "Authentication" 
   | spath output=foo path=objects{}
   | spath input=foo output=calc_field path=calculations{}.outputFields{}.displayName
   | spath input=foo output=field path=fields{}.displayName
   | eval query = mvappend(calc_field , field)
   | fields query
   | mvexpand query
   | format   "" "" "" "" "" ""
]

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-28-2022 03:50 AM

Try something like this:

index="main" sourcetype="XmlWinEventLog" tag="authentication"
| table [
   | datamodel "Authentication" 
   | spath output=foo path=objects{}
   | spath input=foo output=calc_field path=calculations{}.outputFields{}.displayName
   | spath input=foo output=field path=fields{}.displayName
   | eval query = mvappend(calc_field , field)
   | mvexpand query
   | format   "" "" "" "" "" ""
]
0 Karma
Reply
Solved! Jump to solution

nextpart
Explorer
‎07-28-2022 04:07 AM

Hi @ITWhisperer , thanks for your reply. I already tried that one but get the following error:

Error in 'table' command: Invalid argument: 'calc_field=action'
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-28-2022 04:16 AM

Sorry, I missed a line

index="main" sourcetype="XmlWinEventLog" tag="authentication"
| table [
   | datamodel "Authentication" 
   | spath output=foo path=objects{}
   | spath input=foo output=calc_field path=calculations{}.outputFields{}.displayName
   | spath input=foo output=field path=fields{}.displayName
   | eval query = mvappend(calc_field , field)
   | fields query
   | mvexpand query
   | format   "" "" "" "" "" ""
]
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...