Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Subsearch not returning any results

gillockb
Explorer
‎11-09-2021 07:11 AM

Hello Splunksters,

I'm new to Splunk and am constructing my first subsearch.  I've read the documentation on subsearches, but am apparently missing something fundamental.  I have a log file that captures and records events based on a GUID.  Obviously GUIDs aren't something one goes searching for directly.  The primary search is by phone number.  So, I need to accept a phone number, retrieve the associated GUID and then return all the results tied to that GUID.  I have the search retrieving the GUID working, and want to use that as the subsearch.

Ultimate search I wish to run:

index="myIndex" sourcetype="mySourceType" 7c10cfbc-6892-4590-a05c-c12acf16932b

 

Search retrieving GUID (this works):

index="myIndex" host="myHost" sourcetype="mySourceType" <phoneNumber>
| rex field=_raw "(?<GUID>\].*$$)"
| rex field=GUID "(?<GUID>[^NAME]+)"
| eval GUID=replace(GUID, "]", "")
| rex field=GUID mode=sed "s/(^\s+)|(\s+$)//g"
| dedup GUID
| table GUID

 

What I thought the subsearch should look like:

index="myIndex" sourcetype="mySourceType"  [search index="myIndex" host="myHost" sourcetype="mySourceType" <phoneNumber>
| rex field=_raw "(?<GUID>\].*$$)"
| rex field=GUID "(?<GUID>[^NAME]+)"
| eval GUID=replace(GUID, "]", "")
| rex field=GUID mode=sed "s/(^\s+)|(\s+$)//g"
| dedup GUID
| table GUID]

Everything in the [] returns the GUID, as I understand the doc, that should be what is searched for in the main search.  What am I missing?

Thank you!

Brian

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gillockb
Explorer
‎11-10-2021 10:28 AM

Bah!  I figured it out.  I did not realize the format command was being applied to the subsearch resulting in 

( ( GUID="7c10cfbc-6892-4590-a05c-c12acf16932b" ) )

instead of just the GUID value.  And as the raw data does not contain a GUID field, there was nothing to match it to.  Since I constructed the subsearch in the Search app it was giving me just the value I was looking for.  Hard lesson learned...

 

I ran an Extract  New Fields to create the GUID field from the raw data and now am receiving the results I desire.  Thanks all for taking a look and thanks again, JC for trying to help!

View solution in original post

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

gillockb
Explorer
‎11-10-2021 10:28 AM

Bah!  I figured it out.  I did not realize the format command was being applied to the subsearch resulting in 

( ( GUID="7c10cfbc-6892-4590-a05c-c12acf16932b" ) )

instead of just the GUID value.  And as the raw data does not contain a GUID field, there was nothing to match it to.  Since I constructed the subsearch in the Search app it was giving me just the value I was looking for.  Hard lesson learned...

 

I ran an Extract  New Fields to create the GUID field from the raw data and now am receiving the results I desire.  Thanks all for taking a look and thanks again, JC for trying to help!

Tags (1)
0 Karma
Reply
Solved! Jump to solution

jcraumer
Explorer
‎11-10-2021 10:41 AM

Glad you were able to figure it out.

0 Karma
Reply
Solved! Jump to solution

jcraumer
Explorer
‎11-09-2021 07:21 AM

Try adding a join:

The sub search should produce the GUID based on your logic, however the format of the GUID in the outer search would need to match.  If the inner search shows the GUID as

7c10cfbc-6892-4590-a05c-c12acf16932b

after you replace and rex then the outer search would also need to have a match GUID field of 

7c10cfbc-6892-4590-a05c-c12acf16932b

index="myIndex" sourcetype="mySourceType"
| join GUID [search index="myIndex" host="myHost" sourcetype="mySourceType" <phoneNumber>
| rex field=_raw "(?<GUID>\].*$$)"
| rex field=GUID "(?<GUID>[^NAME]+)"
| eval GUID=replace(GUID, "]", "")
| rex field=GUID mode=sed "s/(^\s+)|(\s+$)//g"
| dedup GUID
| fields GUID ]
| table GUID, <other fields from the outer search you want to display>

 

0 Karma
Reply
Solved! Jump to solution

gillockb
Explorer
‎11-09-2021 10:45 AM

Thank you, JC.  I very much appreciate the assist, unfortunately that didn't help.  Returns no results again.

The regex actually provides me with the GUID.  It's a much longer string in the logs.  And the first query with the GUID hardcoded gives me the final results I'm looking for.

Thanks again!  Cheers,

Brian

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...