This search gives me a value that I can feed into the next search and I get results without an error
index=fireeye sourcetype=hx_cef_syslog act="Detection IOC Hit" | table dhost
lets say dhost returned is X
index=fireeye sourcetype=hx_json X
gives me the results I want.... but when I try
index=fireeye sourcetype=hx_json [search index=fireeye sourcetype=hx_cef_syslog act="Detection IOC Hit" |table dhost] | stats values
I get nothing.
The field names are different in each sourcetype.
X is dhost in hx_cef_syslog but X is alert.host.hostname in hx_json.
I am not sure what the problem is here but is the subsearch passing dhost=x or just x to the outer search?
Any help appreciated.
Thank you
The subsearch passes back the result of an implicit format
command in a field called search
, which looks like this
( (dhost="value1" ) OR ( host="value2" ) OR ....)
If there was a second field called foo, it would look like this
( (dhost="value1" AND foo="foo1" ) OR ( host="value2" AND foo="foo2" ) OR ....)
You can eliminate the field name with a rex
in sed
mode
, leaving it like this...
( ( "value1" ) OR ( "value2" ) OR ....)
You can also give parameters to the format command to get rid of the extra parenthesis, but I'm not going to do that here.
Try this...
index=fireeye sourcetype=hx_json
[search index=fireeye sourcetype=hx_cef_syslog act="Detection IOC Hit"
| table dhost
| format
| rex mode=sed field=search "s/dhost=//g" ]
| ... the remainder of your search
The subsearch passes back the result of an implicit format
command in a field called search
, which looks like this
( (dhost="value1" ) OR ( host="value2" ) OR ....)
If there was a second field called foo, it would look like this
( (dhost="value1" AND foo="foo1" ) OR ( host="value2" AND foo="foo2" ) OR ....)
You can eliminate the field name with a rex
in sed
mode
, leaving it like this...
( ( "value1" ) OR ( "value2" ) OR ....)
You can also give parameters to the format command to get rid of the extra parenthesis, but I'm not going to do that here.
Try this...
index=fireeye sourcetype=hx_json
[search index=fireeye sourcetype=hx_cef_syslog act="Detection IOC Hit"
| table dhost
| format
| rex mode=sed field=search "s/dhost=//g" ]
| ... the remainder of your search
Awesome Thank you!!