Solved: Subsearch input

ccsfdave · ‎02-06-2015

Greetings,

I am working with IronPort logs and oddly the mailto and mailfrom fields are not in the same records. So what I am looking to do is create a search similar to:

index=email sourcetype=ironport mailto=%form_var%

which will result in a fields that I can use (icid) to then find the mailfrom field. So I am thinking about a subsearch like:

index=email sourcetype=ironport icid=<number from first search>

So I am wondering two things:

what is the general subsearch layout I would use keeping in mind that the mailto will be furnished by the end user in a form?
Can I pass a bunch of icid's e.g. if I allowed the user to search over a week of emails?

I would like a table of date mailto mailfrom as a very end result.

Thanks for the guidance!

Dave

aweitzman · ‎02-06-2015

Your layout would look like this:

index=email sourcetype=ironport [search index=email sourcetype=ironport mailto=%form_var% | table icid]

Your subsearch ends up giving you a clause that looks like (icid=1 OR icid=2 OR...) based on the results of that search. This gets applied to your main search, and you get the results you're looking for.

View solution in original post

aweitzman · ‎02-06-2015

Your layout would look like this:

index=email sourcetype=ironport [search index=email sourcetype=ironport mailto=%form_var% | table icid]

Your subsearch ends up giving you a clause that looks like (icid=1 OR icid=2 OR...) based on the results of that search. This gets applied to your main search, and you get the results you're looking for.

ccsfdave · ‎02-06-2015

I was dubious that this would do it, but in fact it does. Thanks so much!

Subsearch input

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

Explore the Latest Educational Offerings from Splunk (November Releases)

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...