Thanks Hunter,
So now I have another problem. The link you provided had details about format command which I was hoping to use to modify returned search result so that it will work with multiple returned fields.
Splunk docs says:
"The format command changes your subsearch results into a single linear search string. This is used when you want to pass the returned values in the returned fields into the primary search."
I have managed to get the query to work if I return a single field. But it doesn't work if I pipe it to format. Seem primary search doesn't work with the returned linear search string?
[ search sourcetype="dns" "specific urls" | dedup src | return 3 src_ip=src | format ]
sourcetype="WinSecurityEvent"
| dedup accountname | stats values(accountname) AS accounts | table query, src_ip, accounts
The formatted search string that is returned contains (this does not work):
( ( "(src_ip=\"10.10.10.1\") OR (src_ip=\"10.10.10.2\") OR (src_ip=\"10.10.10.3\")" ) )
Without format (this works):
(src_ip="10.10.10.1") OR (src_ip="10.10.10.2") OR (src_ip="10.10.10.3")
Is there a bug or am I missing something from my command or I'm supposed to modify linear search strings somehow before they can be used with primary search?
Thanks,
... View more