Solved: Why am I getting "No Results" using rex in a subse...

jgbricker · ‎01-20-2015

Hello,

I'm trying to do something more complicated than this search, but the more complicated scenario includes regular expression extraction and I wanted to simplify what I'm trying to do into smaller pieces to see if they work. I'm a little frustrated that this search returns 'No Results' but when I remove the '[search index="my_index"' from the front and the ']' from the back i have no issues getting the field extracted. I don't have a lot of experience with sub-searches so I'm not sure its limits and I'm wondering if I've run into one.

index="my_index" "*PartOfURL*" [search index="my_index" | rex field=_raw "PartOfURL\/g\/(?<sessionGUID>[^\/]+)"|fields sessionGUID]

Any tips are appreciated!
Thanks!

martin_mueller · ‎01-20-2015

Do configure the field extraction for the sourcetype you're actually searching, then the field will exist in both the subsearch and the main search.

Without that, the subsearch will demand sessionGUID="foo" while the data in the main search doesn't know such a field.

View solution in original post

jgbricker · ‎01-20-2015

Here is how I got the values I needed -

index="rp" sourcetype="rp" *PartOfURL*  | rex "\-\s+(?<Agent>\w{2}\d{4}\w\d{2})\s[^\"]+\"(?<request>GET\s[^\"]+)\"\s(?<status_code>\d{3})\s[^\"]+\"(?<referer>[^\"]+)"  | lookup quoteLaunchBeta.csv betaAgent AS Agent OUTPUT betaAgent AS BetaAgent  | where isnotnull(BetaAgent)  | regex request!="GET\s\/PartOfURL\/[^\/]+\/[^\/]+\/[^\s]+\sHTTP[^\"]+"  | search (request="GET /PartOfURL/ HTTP/1.1" AND referer="https://www.someplace.com/Pages/default.aspx") OR (request="GET /PartOfURL/g/*" AND referer="*Customer*") | stats  count(eval(request!="GET /PartOfURL/ HTTP/1.1")) as ConformCount, count(eval(request="GET /PartOfURL/ HTTP/1.1")) as NotConformCount

jgbricker · ‎01-20-2015

This is what i'm trying and I get Error in 'table' command: Invalid argument: 'ConformCount=8'
for the following search -

index="rp" sourcetype="rp" *PartOfURL*
| rex "\-\s+(?<Agent>\w{2}\d{4}\w\d{2})\s[^\"]+\"\w+\s(?<request>[^\"]+)\"\s(?<status_code>\d{3})\s[^\"]+\"(?<referer>[^\"]+)"
| lookup quoteLaunchBeta.csv betaAgent AS Agent OUTPUT betaAgent AS BetaAgent
|where isnotnull(BetaAgent)
|eval TotalBetaAgentVolume = ConformCount + NotConformCount
|eval ConformPerc=(ConformCount / TotalBetaAgentVolume)
|eval NotConformPerc=(NotConformCount / TotalBetaAgentVolume)
|table ConformCount ConformPerc NotConformCount NotConformPerc TotalBetaAgentVolume
[search index="rp" sourcetype="rp" *PartOfURL* *Customer* | regex "PartOfURL\/g\/[^\/]+\sHTTP" |stats count AS ConformCount|fields ConformCount]
[search index="rp" sourcetype="rp" *PartOfURL* *Customer* | regex "PartOfURL\/\sHTTP" |stats count AS NotConformCount|fields NotConformCount]

Can I do something different to achieve this?

wpreston · ‎01-20-2015

So if you run this search:

index="my_index" "*PartOfURL*" | rex field=_raw "PartOfURL\/g\/(?<sessionGUID>[^\/]+)" | fields sessionGUID

are there any values for sessionGUID?

jgbricker · ‎01-20-2015

Yes, definitely, there are 100+ values when I don't do the subsearch method of extracting.

somesoni2 · ‎01-20-2015

It seems you're extracting the field sessionGUID from index=my_index, so I assume its not available already. The subsearch you wrote is just applying filter to the events, than doing the field extraction. What you need to do is to move the rex part into the main search directly (no subsearch needed) like @wpreston mentioned OR as @martin said, configure this rex as field extraction into the sourcetype you're using. (subsearches are for filtering data, not to create/extract new field)

jgbricker · ‎01-20-2015

Thanks for the comment. You are correct the fields are need were not extracted at search time and so I am extracting them at search time. I understand about best practice is to extract at index time. I am aware that the rex command works outside the subsearch. I was hoping I could use a subsearch to do whatever I could do outside a subsearch and then just pass the field with values discovered into a main search for computation. This wasn't working so I striped it down to just one extraction piece to test and was suprised this little part wasn't working.
I think the best way to explain what i'm trying to do is to provide context by putting in one of my failed searches.

martin_mueller · ‎01-20-2015

Do configure the field extraction for the sourcetype you're actually searching, then the field will exist in both the subsearch and the main search.

Without that, the subsearch will demand sessionGUID="foo" while the data in the main search doesn't know such a field.

jgbricker · ‎01-20-2015

I have sessionGUID wraped in <> after the ? but not sure how to get it to show in my post..

wpreston · ‎01-20-2015

You can use the code block button in the editor (the one with 1's and 0's on it), or just indent the line with your search code 4 spaces and it should make it display correctly.

jgbricker · ‎01-20-2015

Thanks! That fixed my post display issue!

Why am I getting "No Results" using rex in a subsearch?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!