Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use the results of a subsearch to search an index for a pattern or regex on a particular field?

nightflame
Explorer
‎11-04-2016 01:51 AM

I want to use the results of a subsearch to search an index for a pattern/regex on a particular field.

I have this working:

| metadata type=hosts index=* | search [ search index=cmdb sourcetype=cmdb:cmdb_ci | dedup 1 name | rename name AS host | table host]

This extracts name of assets from my CMDB Index and checks to see if that name has been used as host to log to any event Indexes.

This works well and I have a similar query for sources:

| metadata type=sources index=* | search [ search index=cmdb sourcetype=cmdb:cmdb_ci | dedup 1 ip_address| rename ip_address AS source | table source]

But I also want to do a wildcard lookup on sources based on the IP extracted from the CMDB.

What I want to do is:

| metadata type=sources index= \* | search source=" \* [ search index=cmdb sourcetype=cmdb:cmdb_ci | dedup 1 ip_address| rename ip_address AS source | table source] *"

But obviously that syntax is invalid. I have tried to use regex but get similar syntax issues. Any help would be appreciated.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎11-17-2016 08:55 AM

So, using your subsearch method, try it this way.

What you asked for, but which won't quite work:

| metadata type=sources index= \* | search source=" \* [ search index=cmdb sourcetype=cmdb:cmdb_ci | dedup 1 ip_address| rename ip_address AS source | table source] *"

In order to achieve that, you'll want to reformat the returned values of the subsearch. To do this, at the end of your subsearch eval a new field called search that has your value concatenated with wildcards. That will then get returned as is, and will substitute right in.

In the below, which I believe will work, we build that return string into items like source=*192.168.0.25*. I believe this will work and have tested it in various ways but only on my data, not yours. So as always your mileage may differ.

| metadata type=sources index=* [ search index=cmdb sourcetype=cmdb:cmdb_ci | dedup 1 ip_address| rename ip_address AS source | eval search="source=*".source."*"]

So give that a try and see if that's better and closer!

Happy Splunking!
Rich

Reply

Richfez
SplunkTrust
SplunkTrust
‎11-04-2016 07:27 PM

The map command might be your solution. I'm not as well versed in map as in other commands, but I think what you'll want is 

index=cmdb sourcetype=cmdb:cmdb_ci | dedup 1 ip_address| rename ip_address AS MySource | map search="| metadata type=sources index=* | search source=\"*$MySource$*\" "

So, we've flipped it around and ran your "little inside" search first, then use map to run a new search over each of those results. In order to use a leading wildcard on "source" (which I renamed to MySource so I didn't get into keyword confusion, I'd recommend doing the same in yours) I had to put it in quotes, which of course needed escaping because they're inside quotes...

Let me know how it goes!

Happy Splunking,
Rich

0 Karma
Reply

nightflame
Explorer
‎11-17-2016 04:18 AM

I tried this, but it only ever returns one result. Its like the map command only runs on the first result returned by the first search.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...