I had this search working and now it seems to have stopped gives an error. Thoughts?
Search:
index=symantec sourcetype=file Host_Name=[search index=dhcp "*ip address*" "DHCPACK" AND "RENEW"| sort by _time desc | rex "\((?.*?)\)"| dedup Hostname | table Hostname | return $Hostname] | dedup user | eval time=strftime(_time, "%m/%d/%Y %H:%M:%S") | table time,Host_Name,user,_raw
Error:
Error in 'search' command: Unable to parse the search: Comparator '=' is missing a term on the right hand side.
Try using it like this:
index=symantec sourcetype=file [search index=dhcp "Require for all Events or Make "*"" "DHCPACK" AND "RENEW"| sort by _time desc | rex "\((?.*?)\)"| dedup Hostname | table Hostname | rename Hostname as Host_Name] | dedup user | eval time=strftime(_time, "%m/%d/%Y %H:%M:%S") | table time,Host_Name,user,_raw
Removed the comparator and used subsearch.
Check the macro definition in macros.conf at the location /opt/splunk/etc/apps/digitalguardian_web . In my case, the marco was wrongly defined.
$SPLUNK_HOME$/etc/apps/digitalguardian_web/local/macros.conf
Wrong Definition -
[index_macro]
definition = index=digitalguardian
Right Definition
[index_macro]
definition = digitalguardian
The error is most likely triggereing because the subsearch [search index=dhcp "Require for all Events or Make "*"" "DHCPACK" AND "RENEW"| sort by _time desc | rex "\((?.*?)\)"| dedup Hostname | table Hostname | return $Hostname]
is resolving to NULL, therefore your outer search is being run as
index=symantec sourcetype=file Host_Name= | ... etc
Check that your subsearch returns results, either by running the search on its own or look in the job inspector
I did the sub search and I get the information I am looking for. So how would I fix this now? Also I put in the information wrong. I am added a more correct search string.
Try using it like this:
index=symantec sourcetype=file [search index=dhcp "Require for all Events or Make "*"" "DHCPACK" AND "RENEW"| sort by _time desc | rex "\((?.*?)\)"| dedup Hostname | table Hostname | rename Hostname as Host_Name] | dedup user | eval time=strftime(_time, "%m/%d/%Y %H:%M:%S") | table time,Host_Name,user,_raw
Removed the comparator and used subsearch.
Thanks that worked. Plus I figured out why no results were coming back. Thanks again.
This is a saner method for sure
So I did this:
index=symantec sourcetype=symantecfield [search index=dhcp "ip" "DHCPACK" AND "RENEW"| sort by _time desc | rex "((?.*?))"| dedup Hostname | table Hostname | return $Hostname] | dedup user | eval time=strftime(_time, "%m/%d/%Y %H:%M:%S") | table time,Host_Name,user,_raw
No longer getting error but I am getting no results. But if I put the results of the subsearch in search I will get the results I want. Both searches seems to work by themselves but not together.