Subsearch Not Filtering Results

jcullins21 · ‎06-13-2018

I am trying to pull a list of filtered IPs from one index and then use that list as a reference to see external traffic from another index. When I run the subsearch command alone it works perfectly and gives me the list I desired. But when I throw the outer search in the mix it gives me all the IP addresses associated with "that_place" and nothing is filtered.

Index= two sourcetype=two dest_ip!=22.*
[ search index=one sourcetype=one
os_type="Thing_1" OR os_type="Thing_2" OR os_type="Thing_3"
NOT os_type!="Thing_4"
NOT os_description="Thing_5"
NOT os_description="Thing_6"
NOT os_hostname="Thing_7"
place="that_place" rename ip AS src | dedup src | table src]
| table src,dest_ip,dest_port,bytes_in,bytes_out

I'm pretty new to Splunk and I know there has to be a better way to complete a simple search across different indexes.

jcullins21 · ‎06-14-2018

Sorry that was a typo. should read:

place="that_place" | rename ip AS src

sushantmhatre · ‎06-13-2018

place="that_place" rename ip AS src

In your rename command, there is no leading pipe or its typo ?

Anyways I think better to move dedup in outer search

Subsearch Not Filtering Results

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

Subsearch Not Filtering Results

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers