- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Need a little help troubleshooting my subsearch...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This search gives me a value that I can feed into the next search and I get results without an error
index=fireeye sourcetype=hx_cef_syslog act="Detection IOC Hit" | table dhost
lets say dhost returned is X
index=fireeye sourcetype=hx_json X
gives me the results I want.... but when I try
index=fireeye sourcetype=hx_json [search index=fireeye sourcetype=hx_cef_syslog act="Detection IOC Hit" |table dhost] | stats values
I get nothing.
The field names are different in each sourcetype.
X is dhost in hx_cef_syslog but X is alert.host.hostname in hx_json.
I am not sure what the problem is here but is the subsearch passing dhost=x or just x to the outer search?
Any help appreciated.
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The subsearch passes back the result of an implicit format command in a field called search, which looks like this
( (dhost="value1" ) OR ( host="value2" ) OR ....)
If there was a second field called foo, it would look like this
( (dhost="value1" AND foo="foo1" ) OR ( host="value2" AND foo="foo2" ) OR ....)
You can eliminate the field name with a rex in sed mode, leaving it like this...
( ( "value1" ) OR ( "value2" ) OR ....)
You can also give parameters to the format command to get rid of the extra parenthesis, but I'm not going to do that here.
Try this...
index=fireeye sourcetype=hx_json
[search index=fireeye sourcetype=hx_cef_syslog act="Detection IOC Hit"
| table dhost
| format
| rex mode=sed field=search "s/dhost=//g" ]
| ... the remainder of your search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The subsearch passes back the result of an implicit format command in a field called search, which looks like this
( (dhost="value1" ) OR ( host="value2" ) OR ....)
If there was a second field called foo, it would look like this
( (dhost="value1" AND foo="foo1" ) OR ( host="value2" AND foo="foo2" ) OR ....)
You can eliminate the field name with a rex in sed mode, leaving it like this...
( ( "value1" ) OR ( "value2" ) OR ....)
You can also give parameters to the format command to get rid of the extra parenthesis, but I'm not going to do that here.
Try this...
index=fireeye sourcetype=hx_json
[search index=fireeye sourcetype=hx_cef_syslog act="Detection IOC Hit"
| table dhost
| format
| rex mode=sed field=search "s/dhost=//g" ]
| ... the remainder of your search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome Thank you!!
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
Updated Team Landing Page in Splunk Observability
