Solved: Subsearch not returning any results

gillockb · ‎11-09-2021

Hello Splunksters,

I'm new to Splunk and am constructing my first subsearch. I've read the documentation on subsearches, but am apparently missing something fundamental. I have a log file that captures and records events based on a GUID. Obviously GUIDs aren't something one goes searching for directly. The primary search is by phone number. So, I need to accept a phone number, retrieve the associated GUID and then return all the results tied to that GUID. I have the search retrieving the GUID working, and want to use that as the subsearch.

Ultimate search I wish to run:

index="myIndex" sourcetype="mySourceType" 7c10cfbc-6892-4590-a05c-c12acf16932b

Search retrieving GUID (this works):

index="myIndex" host="myHost" sourcetype="mySourceType" <phoneNumber>
| rex field=_raw "(?<GUID>\].*$$)"
| rex field=GUID "(?<GUID>[^NAME]+)"
| eval GUID=replace(GUID, "]", "")
| rex field=GUID mode=sed "s/(^\s+)|(\s+$)//g"
| dedup GUID
| table GUID

What I thought the subsearch should look like:

index="myIndex" sourcetype="mySourceType"  [search index="myIndex" host="myHost" sourcetype="mySourceType" <phoneNumber>
| rex field=_raw "(?<GUID>\].*$$)"
| rex field=GUID "(?<GUID>[^NAME]+)"
| eval GUID=replace(GUID, "]", "")
| rex field=GUID mode=sed "s/(^\s+)|(\s+$)//g"
| dedup GUID
| table GUID]

Everything in the [] returns the GUID, as I understand the doc, that should be what is searched for in the main search. What am I missing?

Thank you!

Brian

gillockb · ‎11-10-2021

Bah! I figured it out. I did not realize the format command was being applied to the subsearch resulting in

( ( GUID="7c10cfbc-6892-4590-a05c-c12acf16932b" ) )

instead of just the GUID value. And as the raw data does not contain a GUID field, there was nothing to match it to. Since I constructed the subsearch in the Search app it was giving me just the value I was looking for. Hard lesson learned...

I ran an Extract New Fields to create the GUID field from the raw data and now am receiving the results I desire. Thanks all for taking a look and thanks again, JC for trying to help!

View solution in original post

gillockb · ‎11-10-2021

Bah! I figured it out. I did not realize the format command was being applied to the subsearch resulting in

( ( GUID="7c10cfbc-6892-4590-a05c-c12acf16932b" ) )

instead of just the GUID value. And as the raw data does not contain a GUID field, there was nothing to match it to. Since I constructed the subsearch in the Search app it was giving me just the value I was looking for. Hard lesson learned...

I ran an Extract New Fields to create the GUID field from the raw data and now am receiving the results I desire. Thanks all for taking a look and thanks again, JC for trying to help!

jcraumer · ‎11-10-2021

Glad you were able to figure it out.

jcraumer · ‎11-09-2021

Try adding a join:

The sub search should produce the GUID based on your logic, however the format of the GUID in the outer search would need to match. If the inner search shows the GUID as

7c10cfbc-6892-4590-a05c-c12acf16932b

after you replace and rex then the outer search would also need to have a match GUID field of

7c10cfbc-6892-4590-a05c-c12acf16932b

gillockb · ‎11-09-2021

Thank you, JC. I very much appreciate the assist, unfortunately that didn't help. Returns no results again.

The regex actually provides me with the GUID. It's a much longer string in the logs. And the first query with the GUID hardcoded gives me the final results I'm looking for.

Thanks again! Cheers,

Brian

Subsearch not returning any results

subsearch

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector