Hello,
I'm trying to do something more complicated than this search, but the more complicated scenario includes regular expression extraction and I wanted to simplify what I'm trying to do into smaller pieces to see if they work. I'm a little frustrated that this search returns 'No Results' but when I remove the '[search index="my_index"' from the front and the ']' from the back i have no issues getting the field extracted. I don't have a lot of experience with sub-searches so I'm not sure its limits and I'm wondering if I've run into one.
index="my_index" "*PartOfURL*" [search index="my_index" | rex field=_raw "PartOfURL\/g\/(?<sessionGUID>[^\/]+)"|fields sessionGUID]
Any tips are appreciated!
Thanks!
Do configure the field extraction for the sourcetype you're actually searching, then the field will exist in both the subsearch and the main search.
Without that, the subsearch will demand sessionGUID="foo"
while the data in the main search doesn't know such a field.
Here is how I got the values I needed -
index="rp" sourcetype="rp" *PartOfURL* | rex "\-\s+(?<Agent>\w{2}\d{4}\w\d{2})\s[^\"]+\"(?<request>GET\s[^\"]+)\"\s(?<status_code>\d{3})\s[^\"]+\"(?<referer>[^\"]+)" | lookup quoteLaunchBeta.csv betaAgent AS Agent OUTPUT betaAgent AS BetaAgent | where isnotnull(BetaAgent) | regex request!="GET\s\/PartOfURL\/[^\/]+\/[^\/]+\/[^\s]+\sHTTP[^\"]+" | search (request="GET /PartOfURL/ HTTP/1.1" AND referer="https://www.someplace.com/Pages/default.aspx") OR (request="GET /PartOfURL/g/*" AND referer="*Customer*") | stats count(eval(request!="GET /PartOfURL/ HTTP/1.1")) as ConformCount, count(eval(request="GET /PartOfURL/ HTTP/1.1")) as NotConformCount
This is what i'm trying and I get Error in 'table' command: Invalid argument: 'ConformCount=8'
for the following search -
index="rp" sourcetype="rp" *PartOfURL*
| rex "\-\s+(?<Agent>\w{2}\d{4}\w\d{2})\s[^\"]+\"\w+\s(?<request>[^\"]+)\"\s(?<status_code>\d{3})\s[^\"]+\"(?<referer>[^\"]+)"
| lookup quoteLaunchBeta.csv betaAgent AS Agent OUTPUT betaAgent AS BetaAgent
|where isnotnull(BetaAgent)
|eval TotalBetaAgentVolume = ConformCount + NotConformCount
|eval ConformPerc=(ConformCount / TotalBetaAgentVolume)
|eval NotConformPerc=(NotConformCount / TotalBetaAgentVolume)
|table ConformCount ConformPerc NotConformCount NotConformPerc TotalBetaAgentVolume
[search index="rp" sourcetype="rp" *PartOfURL* *Customer* | regex "PartOfURL\/g\/[^\/]+\sHTTP" |stats count AS ConformCount|fields ConformCount]
[search index="rp" sourcetype="rp" *PartOfURL* *Customer* | regex "PartOfURL\/\sHTTP" |stats count AS NotConformCount|fields NotConformCount]
Can I do something different to achieve this?
So if you run this search:
index="my_index" "*PartOfURL*" | rex field=_raw "PartOfURL\/g\/(?<sessionGUID>[^\/]+)" | fields sessionGUID
are there any values for sessionGUID
?
Yes, definitely, there are 100+ values when I don't do the subsearch method of extracting.
It seems you're extracting the field sessionGUID from index=my_index, so I assume its not available already. The subsearch you wrote is just applying filter to the events, than doing the field extraction. What you need to do is to move the rex part into the main search directly (no subsearch needed) like @wpreston mentioned OR as @martin said, configure this rex as field extraction into the sourcetype you're using. (subsearches are for filtering data, not to create/extract new field)
Thanks for the comment. You are correct the fields are need were not extracted at search time and so I am extracting them at search time. I understand about best practice is to extract at index time. I am aware that the rex command works outside the subsearch. I was hoping I could use a subsearch to do whatever I could do outside a subsearch and then just pass the field with values discovered into a main search for computation. This wasn't working so I striped it down to just one extraction piece to test and was suprised this little part wasn't working.
I think the best way to explain what i'm trying to do is to provide context by putting in one of my failed searches.
Do configure the field extraction for the sourcetype you're actually searching, then the field will exist in both the subsearch and the main search.
Without that, the subsearch will demand sessionGUID="foo"
while the data in the main search doesn't know such a field.
I have sessionGUID wraped in <> after the ? but not sure how to get it to show in my post..
You can use the code block button in the editor (the one with 1's and 0's on it), or just indent the line with your search code 4 spaces and it should make it display correctly.
Thanks! That fixed my post display issue!