Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use the results of a subsearch to search an index for a pattern or regex on a particular field?

nightflame
Explorer
‎11-04-2016 01:51 AM

I want to use the results of a subsearch to search an index for a pattern/regex on a particular field.

I have this working:

| metadata type=hosts index=* | search [ search index=cmdb sourcetype=cmdb:cmdb_ci | dedup 1 name | rename name AS host | table host]

This extracts name of assets from my CMDB Index and checks to see if that name has been used as host to log to any event Indexes.

This works well and I have a similar query for sources:

| metadata type=sources index=* | search [ search index=cmdb sourcetype=cmdb:cmdb_ci | dedup 1 ip_address| rename ip_address AS source | table source]

But I also want to do a wildcard lookup on sources based on the IP extracted from the CMDB.

What I want to do is:

| metadata type=sources index= \* | search source=" \* [ search index=cmdb sourcetype=cmdb:cmdb_ci | dedup 1 ip_address| rename ip_address AS source | table source] *"

But obviously that syntax is invalid. I have tried to use regex but get similar syntax issues. Any help would be appreciated.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎11-17-2016 08:55 AM

So, using your subsearch method, try it this way.

What you asked for, but which won't quite work:

| metadata type=sources index= \* | search source=" \* [ search index=cmdb sourcetype=cmdb:cmdb_ci | dedup 1 ip_address| rename ip_address AS source | table source] *"

In order to achieve that, you'll want to reformat the returned values of the subsearch. To do this, at the end of your subsearch eval a new field called search that has your value concatenated with wildcards. That will then get returned as is, and will substitute right in.

In the below, which I believe will work, we build that return string into items like source=*192.168.0.25*. I believe this will work and have tested it in various ways but only on my data, not yours. So as always your mileage may differ.

| metadata type=sources index=* [ search index=cmdb sourcetype=cmdb:cmdb_ci | dedup 1 ip_address| rename ip_address AS source | eval search="source=*".source."*"]

So give that a try and see if that's better and closer!

Happy Splunking!
Rich

Reply

Richfez
SplunkTrust
SplunkTrust
‎11-04-2016 07:27 PM

The map command might be your solution. I'm not as well versed in map as in other commands, but I think what you'll want is 

index=cmdb sourcetype=cmdb:cmdb_ci | dedup 1 ip_address| rename ip_address AS MySource | map search="| metadata type=sources index=* | search source=\"*$MySource$*\" "

So, we've flipped it around and ran your "little inside" search first, then use map to run a new search over each of those results. In order to use a leading wildcard on "source" (which I renamed to MySource so I didn't get into keyword confusion, I'd recommend doing the same in yours) I had to put it in quotes, which of course needed escaping because they're inside quotes...

Let me know how it goes!

Happy Splunking,
Rich

0 Karma
Reply

nightflame
Explorer
‎11-17-2016 04:18 AM

I tried this, but it only ever returns one result. Its like the map command only runs on the first result returned by the first search.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...