- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Problems with subsearch.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problems with subsearch.
I am having trouble getting a subsearch to work and was hoping someone might be able to help. I am trying to compare enterprise security hashes to another log/index I have that also has those same searches referenced. The index of that other log is "otherlog" in my sample. BridgeMsg is just a macro/field for a part of the syslog string.
It is my understanding that inner joins are done first, so I am getting the event hash from ES, then I want to see if that result is in my otherlog. Obviously, I am missing something fundamental here though. I am also getting this error message and have no idea why:
Error in 'dedup' command: The field '(' is specified multiple times. It should only be specified once.
index=otherlog sourcetype=syslog | rex field=bridgeMsg "hash:\s+[\d.]+\s+(?<event_hash>(\S+))" | fields event_hash | dedup event_hash [ search index=notable | search NOT suppression | get_event_hash | dedup event_hash ]
Any ideas?
(Edited to clarify as per comment 1)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I am closer to the answer now, still need to do a lot of verification. For my needs, I think the second solution was a bit closer. Where I wound up:
index=notable source="*"
| search NOT `suppression`
| `get_event_hash`
| dedup event_hash
| fields * | table *
| where [search index=snaplec sourcetype=syslog-og | rex field=bridgeMsg hash:\s+[\d.]+\s+(?<event_hash>(\S+))"
| fields event_hash
| dedup event_hash ]
| table event_hash _time search_name
| rename event_hash as Notable, _time as Time, search_name as “Rule Name”
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You want use the result of subsearch as filter, so it should be used with filtering command such as | search or | where (or in the base search itself. Try this
index=otherlog sourcetype=syslog | rex field=bridgeMsg "hash:\s+[\d.]+\s+(?<event_hash>(\S+))" | fields event_hash | dedup event_hash | search [ search index=notable | search NOT `suppression` | `get_event_hash` | dedup event_hash ]
OR (filter in base search and use event_hash value as text filter)
index=otherlog sourcetype=syslog [ search index=notable | search NOT `suppression` | `get_event_hash` | dedup event_hash | table event_hash | rename event_hash as search ]| rex field=bridgeMsg "hash:\s+[\d.]+\s+(?<event_hash>(\S+))" | fields event_hash | dedup event_hash | search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi lylereger,
I think the rex syntax in your search is incorrect. A field name should be supplied to assign the captured group to.
... | rex field=bridgeMsg "hash:\s+[\d.]+\s+(?<new_field>(\S+))" | ...
For details, see documentation: http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Rex
Not sure what new field you want to create with the regex capture, but please correct this syntax and try again.
Hope this helps. Thanks!
Hunter
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That line does indeed have a field, I was bitten by cut and paste it seems. Hope it shows up in the tags. event_hash is the field.
rex field=bridgeMsg "hash:\s+[\d.]+\s+(?<event_hash>(\S+))"
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
