Splunk Search

How to use the results of a subsearch to search an index for a pattern or regex on a particular field?

nightflame
Explorer

I want to use the results of a subsearch to search an index for a pattern/regex on a particular field.

I have this working:

| metadata type=hosts index=* | search [ search index=cmdb sourcetype=cmdb:cmdb_ci | dedup 1 name | rename name AS host | table host] 

This extracts name of assets from my CMDB Index and checks to see if that name has been used as host to log to any event Indexes.

This works well and I have a similar query for sources:

| metadata type=sources index=* | search [ search index=cmdb sourcetype=cmdb:cmdb_ci | dedup 1 ip_address| rename ip_address AS source | table source] 

But I also want to do a wildcard lookup on sources based on the IP extracted from the CMDB.

What I want to do is:

| metadata type=sources index= \* | search source=" \* [ search index=cmdb sourcetype=cmdb:cmdb_ci | dedup 1 ip_address| rename ip_address AS source | table source] *"

But obviously that syntax is invalid. I have tried to use regex but get similar syntax issues. Any help would be appreciated.

0 Karma

Richfez
SplunkTrust
SplunkTrust

So, using your subsearch method, try it this way.

What you asked for, but which won't quite work:

| metadata type=sources index= \* | search source=" \* [ search index=cmdb sourcetype=cmdb:cmdb_ci | dedup 1 ip_address| rename ip_address AS source | table source] *"

In order to achieve that, you'll want to reformat the returned values of the subsearch. To do this, at the end of your subsearch eval a new field called search that has your value concatenated with wildcards. That will then get returned as is, and will substitute right in.

In the below, which I believe will work, we build that return string into items like source=*192.168.0.25*. I believe this will work and have tested it in various ways but only on my data, not yours. So as always your mileage may differ.

| metadata type=sources index=* [ search index=cmdb sourcetype=cmdb:cmdb_ci | dedup 1 ip_address| rename ip_address AS source | eval search="source=*".source."*"] 

So give that a try and see if that's better and closer!

Happy Splunking!
Rich

Richfez
SplunkTrust
SplunkTrust

The map command might be your solution. I'm not as well versed in map as in other commands, but I think what you'll want is

index=cmdb sourcetype=cmdb:cmdb_ci | dedup 1 ip_address| rename ip_address AS MySource | map search="| metadata type=sources index=* | search source=\"*$MySource$*\" "

So, we've flipped it around and ran your "little inside" search first, then use map to run a new search over each of those results. In order to use a leading wildcard on "source" (which I renamed to MySource so I didn't get into keyword confusion, I'd recommend doing the same in yours) I had to put it in quotes, which of course needed escaping because they're inside quotes...

Let me know how it goes!

Happy Splunking,
Rich

0 Karma

nightflame
Explorer

I tried this, but it only ever returns one result. Its like the map command only runs on the first result returned by the first search.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...