Solved: Re: How to use subsearch

Laya123 · ‎02-17-2015

Hi,

please help me to use subsearch,

I have a main search query like

index=A host=B cs_method="GET" cst="XXX" | where isnull(ksid) and isnotnull(i_p) | stats c(_raw) by i_p

result of above query is
i_p c(_raw)
CD 3
CW2 1
DYLA 3
ABC12 7
XYZ31 34
jjjwwgga 39
ngrisoew 40
rtucw 43
Poeyt 15

meaning of the above output is, the above i_p s are not using secuirty check for some ids (each i_p is having their respective number of ids which is not using security check for example i_p of ABC12 for this i_p 7 IDs are not using security check)

I want to take the above i_p and check how many are using securitycheck and how many are not using security check

my output will be like

CD 3 123fgs No 2
1456mk No 1
674hjn Yes 1
453bcd Yes 1

CW2 1
DYLA 3
ABC12 7
XYZ31 34
jjjwwgga 39
ngrisoew 40
rtucw 43
Poeyt 15

means i-p of CD have total 5 sessiosons in that 3 sessions not used securitycheck and 2 used security check

I tired the below query but its not showing the output how i am expected

I got output like

CD 2 123fgs No 2
CD 1 1456mk No 1
CD 1 674hjn Yes 1
CD 1 453bcd Yes 1

CW2 1
DYLA 3
ABC12 7
XYZ31 34
jjjwwgga 39
ngrisoew 40
rtucw 43
Poeyt 15

Pl can anyone help me in this

Thanks & Regards

Laya123 · ‎03-04-2015

Hi Patrick,

here is the query which I used

index=iis sourcetype=iis host=ABC cs_method="GET" cs_uri_stem="*mriweb.dll*" i_project!="sample" 
| where isnull(ksid) and isnotnull(i_p)  
| eval UsingSecu=if(match(csq, "ksid"), "Yes", "No")

Thanks

View solution in original post

Laya123 · ‎03-04-2015

Hi Patrick,

here is the query which I used

index=iis sourcetype=iis host=ABC cs_method="GET" cs_uri_stem="*mriweb.dll*" i_project!="sample" 
| where isnull(ksid) and isnotnull(i_p)  
| eval UsingSecu=if(match(csq, "ksid"), "Yes", "No")

Thanks

markthompson · ‎02-18-2015

I'm also interested in the answer to this

cchitten · ‎02-18-2015

markthompson, can you give me an example of the data you have and what you want to get out and I can try to answer your question?

markthompson · ‎02-18-2015

Hi cchitten,
We have 2 different events, listed below;
name=com.**************** value=5
name=threshold.max.com*********** value=200

which are transactioned together, but using that we want to use a subsearch in order to get the threshold max out of that transactioned event and set into a field called Max.

Also, Its something completely new to me so would be useful if you know how for v6.0.5

cchitten · ‎02-19-2015

So you want:

Threshold Value
- 5
Max 200

In that case I dont think you want to use subsearch. I think you want rex such as:

| rex field=_raw "threshold.(?.*)."

This should extract the field you want.

markthompson · ‎02-19-2015

Yeh we have found this solution now, thanks Cchitten, but I was also wondering how you use subsearches in 6.0.5

Laya123 · ‎02-26-2015

sorry for delay response, I have done this query which I asked using splunk documentation. Now i am getting results what I expected

Thank you

ppablo · ‎03-03-2015

Hi @Laya123

Can you please post your final search that actually solved your issue? Otherwise, this post is just going to float on Answers forever without a real solution. Thanks!

Patrick

cchitten · ‎02-17-2015

Can you write a simpler example? With less "sdfsdfas4235q235" and more "a1,a2,b1,b2,etc".

How to use subsearch

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?