Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why am I getting error "unknown search command ind...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
datablick
Engager
01-29-2015
03:54 PM
Hello.
I have a search that looks for event id's that are the result of a regex:
index=app_sec_prod sourcetype="mcafee:emailgateway:file" host="portal4.datablick.com" "Quarantined by Content Filtering" | rex "(?i)^(?:[^\|]*\|){2}(?P[^\|]+)" | fields eventid
This runs successfully. I would then like to use these event id's in a subsearch to pull out all events with those id's, not just the Quarantined ones. I tried a subsearch first:
index=app_sec_prod sourcetype="mcafee:emailgateway:file" host="portal4.datablick.com" |rex "(?i)^(?:[^\|]*\|){2}(?P[^\|]+)" | fields eventid [ index=app_sec_prod sourcetype="mcafee:emailgateway:file" host="portal4.datablick.com" "Quarantined by Content Filtering" | rex "(?i)^(?:[^\|]*\|){2}(?P[^\|]+)" | fields eventid ]
and then tried a join:
index=app_sec_prod sourcetype="mcafee:emailgateway:file" host="portal4.visa.com" |rex "(?i)^(?:[^\|]*\|){2}(?P[^\|]+)" | fields eventid | join eventid search [ index=app_sec_prod sourcetype="mcafee:emailgateway:file" host="portal4.visa.com" "Quarantined by Content Filtering" | rex "(?i)^(?:[^\|]*\|){2}(?P[^\|]+)" | fields eventid ]
But I keep getting the error "unknown search command index" What am I doing wrong?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jayannah
Builder
01-29-2015
04:04 PM
Your join syntax is incorrect
it should be
... | join eventid [search index=ap...... ]
So finally your query looks like:
index=app_sec_prod sourcetype="mcafee:emailgateway:file" host="portal4.visa.com" |rex "(?i)^(?:[^\|]*\|){2}(?P[^\|]+)" | fields eventid | join eventid [search index=app_sec_prod sourcetype="mcafee:emailgateway:file" host="portal4.visa.com" "Quarantined by Content Filtering" | rex "(?i)^(?:[^\|]*\|){2}(?P[^\|]+)" | fields eventid ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jayannah
Builder
01-29-2015
04:04 PM
Your join syntax is incorrect
it should be
... | join eventid [search index=ap...... ]
So finally your query looks like:
index=app_sec_prod sourcetype="mcafee:emailgateway:file" host="portal4.visa.com" |rex "(?i)^(?:[^\|]*\|){2}(?P[^\|]+)" | fields eventid | join eventid [search index=app_sec_prod sourcetype="mcafee:emailgateway:file" host="portal4.visa.com" "Quarantined by Content Filtering" | rex "(?i)^(?:[^\|]*\|){2}(?P[^\|]+)" | fields eventid ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
datablick
Engager
01-29-2015
04:14 PM
Thank you!
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
