Splunk Search

subsearch not help

mcbradford
Contributor

I asked this earlier and the solution did not work, so I am asking again. I think I am really close...

Basically what I want to do is look at the previuos week for installed products, take the list and then compare it against what has been installed this week and tell me what is new.

For starters, this will provide me the list:

index=windows sourcetype="wineventlog:application" SourceName=MsiInstaller EventCode=11707 | dedup _raw | rex field=Message "(?s)Product: (?<product_name>.*) --"  | fields product_name

I can take this as a subsearch with an earliest= -7d

Pass the results back to the first, but I need to NOT the products installed.

index=windows sourcetype="wineventlog:application" SourceName=MsiInstaller EventCode=11707 | dedup _raw | rex field=Message "(?s)Product: (?<product_name>.*) --"  | fields product_name | format "NOT(" "" "" "" "OR" ")"

When I try this...

index=windows sourcetype="wineventlog:application" SourceName=MsiInstaller EventCode=11707 | dedup _raw | rex field=Message "(?s)Product: (?<product_name>.*) --"  | fields product_name[search index=windows sourcetype="wineventlog:application" SourceName=MsiInstaller EventCode=11707  earliest= -7d| dedup _raw | rex field=Message "(?s)Product: (?<product_name>.*) --"  | fields product_name | format "NOT(" "" "" "" "OR" ")"]

I get an error:

Error in 'fields' command: Invalid argument: 'product_name=product installed name'

Tags (2)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

It is what it says on the tin - the argument you pass to fields is invalid:

... | fields product_name[search something something ...

View solution in original post

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

It is what it says on the tin - the argument you pass to fields is invalid:

... | fields product_name[search something something ...

View solution in original post

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Assuming you want to filter the main search by the subsearch, try something like this:

... | fields product_name | search [search something something ...

This way the subsearch is used as an argument for a search command, not mangled into the fields command which obviously cannot understand it.

0 Karma

riqbal47010
Path Finder

hi

are you able to get the desired results ?

0 Karma

mcbradford
Contributor

I get that! So what would the correct search look like.

0 Karma