Solved: subsearch on more than two strings - Page 2

daishih · ‎07-12-2016

I have three source types I want to search using a user's username. One of the source types only knows the user's IP address but the other two know the user's username. I am trying to construct a search that greps the username and IP then searches all three source types using the username's IP. This search string is what I have been experimenting with:

blocked OR deny [search sourcetype=pan:traffic | rex field=user "mydomain\\\(?.*)" | search username=$userName$ | rename src_ip AS src | fields src]

When I perform a regular search for "blocked OR deny" I get all the results for all users but when I try to add the sub search no results are returned. According to the search tutorial documentation on sub searches this should be working. Any help would be greatly appreciated!

gabriel_vasseur · ‎07-13-2016

Have you tried to run the subsearch on its own? If you do, I would expect splunk to complain about an error in the regex.

(?.*) is not a valid regex. Maybe you meant either (.*) or (?:.*) which are valid regexes (the first one is capturing, the second is non capturing) but they are still not suitable for rex because they are not extracting anything.

I think what you need is (?P<username>.*).

Also, I'm not sure about the three backslashes... the third one will just escape the bracket. Maybe you only need two of them?

View solution in original post

subsearch on more than two strings

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!