Splunk Search
Highlighted

subsearch on more than two strings

Path Finder

I have three source types I want to search using a user's username. One of the source types only knows the user's IP address but the other two know the user's username. I am trying to construct a search that greps the username and IP then searches all three source types using the username's IP. This search string is what I have been experimenting with:

blocked OR deny [search sourcetype=pan:traffic | rex field=user "mydomain\\\(?.*)" | search username=$userName$ | rename src_ip AS src | fields src]

When I perform a regular search for "blocked OR deny" I get all the results for all users but when I try to add the sub search no results are returned. According to the search tutorial documentation on sub searches this should be working. Any help would be greatly appreciated!

0 Karma
Highlighted

Re: subsearch on more than two strings

Legend

Where are you getting the value for $userName$? Is this a user entry field in a dashboard?

0 Karma
Highlighted

Re: subsearch on more than two strings

Path Finder

$username$ is a token in the dashboard. I created a text entry field for that token which will be used to enter usernames into.

0 Karma
Highlighted

Re: subsearch on more than two strings

Legend

what is the name of the field that has IP information in your main search?

0 Karma
Highlighted

Re: subsearch on more than two strings

Path Finder

srcip is the field I get from the username in the subsearch, scrip is what I want to use to search the outer search. I tried:

 block OR deny [search sourcetype=pan:traffic | search user="mydomain\\$username$" | rename src_ip AS src | fields src]

but that didn't seem to work either 😞

0 Karma
Highlighted

Re: subsearch on more than two strings

Legend

What do you get when you run this search by itself

block OR deny src=*
0 Karma
Highlighted

Re: subsearch on more than two strings

Path Finder

If I run that it lists blocked or deny records along with their src_ip.

0 Karma
Highlighted

Re: subsearch on more than two strings

Legend

Well then, as long as the values (IP) match, this should work 🙂

block OR deny [search sourcetype=pan:traffic | rex field=user "mydomain\(?.*)"" | search username=$userName$ | rename src_ip AS src | table src]

0 Karma
Highlighted

Re: subsearch on more than two strings

Path Finder

Unfortunately your string did not work. splunk complained about the regex and the (). However I got it to work with this:

 blocked OR deny [search sourcetype=pan:traffic | rex field=user "mydomain\\\(?P<username>.*)" | search username=$userName$ | rename src_ip AS src | table src ]

many thanks!

0 Karma
Highlighted

Re: subsearch on more than two strings

Contributor

Have you tried to run the subsearch on its own? If you do, I would expect splunk to complain about an error in the regex.

(?.*) is not a valid regex. Maybe you meant either (.*) or (?:.*) which are valid regexes (the first one is capturing, the second is non capturing) but they are still not suitable for rex because they are not extracting anything.

I think what you need is (?P<username>.*).

Also, I'm not sure about the three backslashes... the third one will just escape the bracket. Maybe you only need two of them?

View solution in original post