Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Subsearch does not work

simuvid
Splunk Employee
Splunk Employee
‎06-09-2011 06:46 AM

What is wrong with following search:

sourcetype="security" ip=[search sourcetype=access_combined status=401 clientip=* | transaction fields clientip | where eventcount>2 | stats count, values(clientip) by status]

What I get is following message:

Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the right hand side.

Any hints?

Cheers

simuvid

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

ziegfried
Influencer
‎06-09-2011 07:11 AM

A subsearch is used this way:

sourcetype="security" [ search sourcetype=access_combined status=401 clientip=* | transaction fields clientip | where eventcount>2 | fields clientip | dedup clientip | rename clientip as ip ]

The subsearch should return a result like this

|    ip     |
| --------- |
| 10.1.1.1  |
| 10.1.1.2  |
| 10.1.1.3  |

Which will expanded to the following condition:

( ( ip="10.1.1.1") OR (ip="10.1.1.2") OR (ip="10.1.1.3") )

You can inspect the conditions generated by the subsearch by executing:

sourcetype=access_combined status=401 clientip=* | transaction fields clientip | where eventcount>2 | fields clientip | dedup clientip | rename clientip as ip | format

View solution in original post

Reply
Solved! Jump to solution
Solution

ziegfried
Influencer
‎06-09-2011 07:11 AM

A subsearch is used this way:

sourcetype="security" [ search sourcetype=access_combined status=401 clientip=* | transaction fields clientip | where eventcount>2 | fields clientip | dedup clientip | rename clientip as ip ]

The subsearch should return a result like this

|    ip     |
| --------- |
| 10.1.1.1  |
| 10.1.1.2  |
| 10.1.1.3  |

Which will expanded to the following condition:

( ( ip="10.1.1.1") OR (ip="10.1.1.2") OR (ip="10.1.1.3") )

You can inspect the conditions generated by the subsearch by executing:

sourcetype=access_combined status=401 clientip=* | transaction fields clientip | where eventcount>2 | fields clientip | dedup clientip | rename clientip as ip | format
Reply
Solved! Jump to solution

simuvid
Splunk Employee
Splunk Employee
‎06-10-2011 05:55 AM

Thanks!!!

That one works as expected!

Cheers,

simuvid

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...