I have three source types I want to search using a user's username. One of the source types only knows the user's IP address but the other two know the user's username. I am trying to construct a search that greps the username and IP then searches all three source types using the username's IP. This search string is what I have been experimenting with:
blocked OR deny [search sourcetype=pan:traffic | rex field=user "mydomain\\\(?.*)" | search username=$userName$ | rename src_ip AS src | fields src]
When I perform a regular search for "blocked OR deny" I get all the results for all users but when I try to add the sub search no results are returned. According to the search tutorial documentation on sub searches this should be working. Any help would be greatly appreciated!
$username$ is a token in the dashboard. I created a text entry field for that token which will be used to enter usernames into.
srcip is the field I get from the username in the subsearch, scrip is what I want to use to search the outer search. I tried:
block OR deny [search sourcetype=pan:traffic | search user="mydomain\\$username$" | rename src_ip AS src | fields src]
but that didn't seem to work either 😞
Well then, as long as the values (IP) match, this should work 🙂
block OR deny [search sourcetype=pan:traffic | rex field=user "mydomain\(?.*)"" | search username=$userName$ | rename src_ip AS src | table src]
Unfortunately your string did not work. splunk complained about the regex and the (). However I got it to work with this:
blocked OR deny [search sourcetype=pan:traffic | rex field=user "mydomain\\\(?P<username>.*)" | search username=$userName$ | rename src_ip AS src | table src ]
Have you tried to run the subsearch on its own? If you do, I would expect splunk to complain about an error in the regex.
(?.*) is not a valid regex. Maybe you meant either
(?:.*) which are valid regexes (the first one is capturing, the second is non capturing) but they are still not suitable for rex because they are not extracting anything.
I think what you need is
Also, I'm not sure about the three backslashes... the third one will just escape the bracket. Maybe you only need two of them?