Solved: Users subsearch in event type not working

arrowecssupport · ‎11-29-2019

This is my search I am trying to use in an event type so I can tag my events.

index = mail
| eval Subject=coalesce(Subject,subjectx)
| search
Subject = "*NVEM Battery Alert*"

But i get this error? "Message: Eventtype search string cannot be a search pipeline or contain a subsearch"
How would I achieve my search without the subsearch

woodcock · ‎11-29-2019

Like this:

index="mail" AND (Subject="*NVEM Battery Alert*" OR subjectx="*NVEM Battery Alert*")

View solution in original post

woodcock · ‎11-29-2019

Like this:

index="mail" AND (Subject="*NVEM Battery Alert*" OR subjectx="*NVEM Battery Alert*")

arrowecssupport · ‎12-04-2019

However, if I want to run multiple searches against lots of subjects, how can I make this more elegant.

arrowecssupport · ‎12-06-2019

I ended up creating an alias which did the job for me 🙂

woodcock · ‎12-04-2019

Use the field IN("value1", "value2", ... , "valueZ") syntax

arjunpkishore5 · ‎11-29-2019

Can you post the whole query ? Or is this it ?

arrowecssupport · ‎12-04-2019

This is it?

Users subsearch in event type not working

Improve Your Security Posture

Maximize the Value from Microsoft Defender with Splunk

This Week's Community Digest - Splunk Community Happenings [6.27.22]