Splunk Search

Subsearch not returning any results

gillockb
Explorer

Hello Splunksters,

I'm new to Splunk and am constructing my first subsearch.  I've read the documentation on subsearches, but am apparently missing something fundamental.  I have a log file that captures and records events based on a GUID.  Obviously GUIDs aren't something one goes searching for directly.  The primary search is by phone number.  So, I need to accept a phone number, retrieve the associated GUID and then return all the results tied to that GUID.  I have the search retrieving the GUID working, and want to use that as the subsearch.

Ultimate search I wish to run:

index="myIndex" sourcetype="mySourceType" 7c10cfbc-6892-4590-a05c-c12acf16932b

 

Search retrieving GUID (this works):

index="myIndex" host="myHost" sourcetype="mySourceType" <phoneNumber>
| rex field=_raw "(?<GUID>\].*$$)"
| rex field=GUID "(?<GUID>[^NAME]+)"
| eval GUID=replace(GUID, "]", "")
| rex field=GUID mode=sed "s/(^\s+)|(\s+$)//g"
| dedup GUID
| table GUID

 

What I thought the subsearch should look like:

index="myIndex" sourcetype="mySourceType"  [search index="myIndex" host="myHost" sourcetype="mySourceType" <phoneNumber>
| rex field=_raw "(?<GUID>\].*$$)"
| rex field=GUID "(?<GUID>[^NAME]+)"
| eval GUID=replace(GUID, "]", "")
| rex field=GUID mode=sed "s/(^\s+)|(\s+$)//g"
| dedup GUID
| table GUID]

Everything in the [] returns the GUID, as I understand the doc, that should be what is searched for in the main search.  What am I missing?

Thank you!

Brian

Labels (1)
0 Karma
1 Solution

gillockb
Explorer

Bah!  I figured it out.  I did not realize the format command was being applied to the subsearch resulting in 

( ( GUID="7c10cfbc-6892-4590-a05c-c12acf16932b" ) ) 

instead of just the GUID value.  And as the raw data does not contain a GUID field, there was nothing to match it to.  Since I constructed the subsearch in the Search app it was giving me just the value I was looking for.  Hard lesson learned...

 

I ran an Extract  New Fields to create the GUID field from the raw data and now am receiving the results I desire.  Thanks all for taking a look and thanks again, JC for trying to help!

View solution in original post

Tags (1)
0 Karma

gillockb
Explorer

Bah!  I figured it out.  I did not realize the format command was being applied to the subsearch resulting in 

( ( GUID="7c10cfbc-6892-4590-a05c-c12acf16932b" ) ) 

instead of just the GUID value.  And as the raw data does not contain a GUID field, there was nothing to match it to.  Since I constructed the subsearch in the Search app it was giving me just the value I was looking for.  Hard lesson learned...

 

I ran an Extract  New Fields to create the GUID field from the raw data and now am receiving the results I desire.  Thanks all for taking a look and thanks again, JC for trying to help!

Tags (1)
0 Karma

jcraumer
Explorer

Glad you were able to figure it out.

0 Karma

jcraumer
Explorer

Try adding a join:

The sub search should produce the GUID based on your logic, however the format of the GUID in the outer search would need to match.  If the inner search shows the GUID as

7c10cfbc-6892-4590-a05c-c12acf16932b

after you replace and rex then the outer search would also need to have a match GUID field of 

7c10cfbc-6892-4590-a05c-c12acf16932b

index="myIndex" sourcetype="mySourceType"
| join GUID [search index="myIndex" host="myHost" sourcetype="mySourceType" <phoneNumber>
| rex field=_raw "(?<GUID>\].*$$)"
| rex field=GUID "(?<GUID>[^NAME]+)"
| eval GUID=replace(GUID, "]", "")
| rex field=GUID mode=sed "s/(^\s+)|(\s+$)//g"
| dedup GUID
| fields GUID ]
| table GUID, <other fields from the outer search you want to display>

 

0 Karma

gillockb
Explorer

Thank you, JC.  I very much appreciate the assist, unfortunately that didn't help.  Returns no results again.

The regex actually provides me with the GUID.  It's a much longer string in the logs.  And the first query with the GUID hardcoded gives me the final results I'm looking for.

Thanks again!  Cheers,

Brian

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...