Splunk Search

Using nested subsearch where subsearch is results of a regex

Path Finder

Hi Splunk friends, looking for some help in this use case

i'm trying to use results from a subsearch to feed a search, however;
1) subsearch is results of a regex pull
2) i would like the results to be treated as ORs, not ANDs

example:

sourcetype="error log" "SOAP Request before sending" [search sourcetype="error log" specificerrorcode | rex field=_raw "AccountID(?\d+)/AccountID" | fields + A1 | rename A1 as search]

i want to use the results from the field that i named A1 to feed into my main search but as OR statements, not ANDs

Tags (2)
0 Karma
1 Solution

Champion

What you are trying to do won't work with the multiple values as you have it. You need to try something a little differently

sourcetype="error log" "SOAP Request before sending" [search sourcetype="error log" specific_error_code | rex field=_raw "AccountID(?\d+)/AccountID" | stats count by A1 | fields + A1 | format "(" "" "" "OR" "" ")" | eval search =replace(search, "A1=", "")]

View solution in original post

Champion

What you are trying to do won't work with the multiple values as you have it. You need to try something a little differently

sourcetype="error log" "SOAP Request before sending" [search sourcetype="error log" specific_error_code | rex field=_raw "AccountID(?\d+)/AccountID" | stats count by A1 | fields + A1 | format "(" "" "" "OR" "" ")" | eval search =replace(search, "A1=", "")]

View solution in original post

Path Finder

Hi rjthibod, your response is much appreciated. i've tried that and does not work

i reviewed this page: http://docs.splunk.com/Documentation/Splunk/4.3.7/User/HowSubsearchesWork#Result_output_settings_for...

however the examples is not really working (or i'm not understanding how to use properly)

0 Karma

Champion

First, post your response as a comment to the answer, not as a new answer. It makes it harder for people to track things.

Seconds, I just realized what you are getting at. Will update my original response with a new solution.

0 Karma

Path Finder

noted 😃 (still new to the forums)

Am trying to get better at Splunk, going through the pains of syntax and methodology, so i really do appreciate your follow up

Cheers!

0 Karma

SplunkTrust
SplunkTrust

moved the comment to the correct position for you.

0 Karma

Champion

See new answer above.

0 Karma

Path Finder

Hi rjthibod, after seeing your example, tried it, received an error (tried my best to understand the query analyzer but i'm not quite there yet)

read up on what format did and what replace did and tried this way as the native result of format is always OR and it worked!!

sourcetype="error log" "SOAP Request before sending" [search sourcetype="error log" specificerrorcode | rex field=_raw "AccountID(?\d+)/AccountID" | stats count by A1 | fields + A1 | format | eval search =replace(search, "A1=", "")]

many thanks for leading me down the right path!!

0 Karma

SplunkTrust
SplunkTrust

@eddychuah - Please accept rjhibod's updated answer so that folks will know your issue has been solved. In general, you can also upvote any comments or answers that you found particularly helpful, any time you want, on your own question or anyone else's.

This is not important on this question, but that's one way you can reward people for helpful information or workable answers that didn't happen to be the best one, or when you didn't post the question, but were just reading it several months later!

0 Karma