Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to return a rex field from a subquery?

Splunkee
Loves-to-Learn
‎06-30-2022 02:36 AM

Hi, I would like to return the rex "field" from a subquery so I can print it out. How do I do that?

index=... "some text" | sort - _time [search message | rex "\[(?<number>\d{3,5})" | rex "(?<field>\w{2,4}@\d{1,4})" | return field] | dedup number | table _time number field

In the result table the column field is always empty. Thanks for help!

Labels (3)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-30-2022 02:49 AM

Can you describe in your own words what you're trying to achieve?

Usually subsearch is _not_ the way to go. Especially if we hear something about "returning" something from a subsearch it mostly means that you want to do something the other way around than it should be done 😉

Remember that the subsearch is evaluated first, then its results are returned and inserted into the main search. In this context your search does not make much sense, because the subsearch will get evaluated to some key/value pairs which will be by default formatted as set of AND/OR-ed conditions. And those would get placed into a sort command which does not support conditions as such.

So be more specific on what you need, and we'll try to tell you how to get there 🙂

0 Karma
Reply

Splunkee
Loves-to-Learn
‎06-30-2022 02:48 AM

Okay I see...

In my subquery I would like to extract two fields from message logs, number and field. Then in my main query I would like to find all entries in "some text" logs where the number is equal to the number in the subquery. Then I want to print the values of _time (main query), number (main query) and field (subquery).

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-30-2022 03:02 AM

Hi @Splunkee,

you should concettually create a join between the two searches.

You could use the join command but I always try to avoid it because it's very slow.

I suppose that the two searches are on different indexes and that the fields number and field is part of another field (message?), so you could run something like this

index=index1 "some text" [ search index=index2 message | rex field=message "\[(?<number>\d{3,5})"| fields number ] 
| rex field=message "(?<field>\w{2,4}@\d{1,4})" 
| dedup number 
| table _time number field

Could you better describe you main and sub searches?

because I need to identify the correlation key.

Ciao.

Giuseppe

 

 

0 Karma
Reply

Splunkee
Loves-to-Learn
‎06-30-2022 04:06 AM

Hi @gcusello,

no the two searches operate on the same index.

I tried with join before but I got wrong results showing me 80,000+ hits in the last 24 hours. The main query only gives me 10 results for the last 24 hours which is correct.

The correlation key is a field named "number" in the main query. These values must be equal to the rex "number" in the subquery to extract the additional field "field" needed for my exploration.

I hope I could make things a little bit clearer. Thanks for your support!

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-30-2022 04:45 AM

Hi @Splunkee,

probably the problem is that a subsearch has the limit of 50,000 results, so the main search isn't correctly filtered, so, please try this:

index=index1 ("some text" OR message]
| eval kind=if(searchmatch("some text"=,"main","sub")
| rex "\[(?<number>\d{3,5})"| fields number ] 
| rex "(?<field>\w{2,4}@\d{1,4})" 
| stats earliest(_time) AS _time values(field) AS field dc(kind) AS dc_kind BY number
| where dc_kind=2
| table _time number field

Ciao.

Giuseppe

0 Karma
Reply

Splunkee
Loves-to-Learn
‎06-30-2022 04:55 AM

Are you sure about the [ and ]?

I get Error in 'SearchParser': Mismatched ']'. 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-30-2022 04:58 AM

Hi @Splunkee,

it was a refuse from the previous:

index=index1 ("some text" OR message]
| eval kind=if(searchmatch("some text"=,"main","sub")
| rex "\[(?<number>\d{3,5})"
| rex "(?<field>\w{2,4}@\d{1,4})" 
| stats earliest(_time) AS _time values(field) AS field dc(kind) AS dc_kind BY number
| where dc_kind=2
| table _time number field

Ciao.

Giusepep

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-30-2022 02:41 AM

Hi @Splunkee,

try to use fields instead return:

index=... "some text" 
| sort - _time [search message | rex "\[(?<number>\d{3,5})" | rex "(?<field>\w{2,4}@\d{1,4})" | fields field] 
| dedup number 
| table _time number field

only two little questions:

  • do you want to use the field extracted with regex in subsearch for sorting results? I ask this because the subsearch isn't in the search row but in the sort row,
  • why do you extract two fields using regexes in subsearch and then you use only one?

In other words, what do you want to do?

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...