Hi All
Can anyone explain where my search is wrong?
sourcetype="access_log" [search sourcetype="GAMESAPI*" SID | rex field=_raw "\[SID\]\s=>\s(?<SID>[0-9]*)" | top SID limit=1 | table SID] | rex field=_raw "(?i)^(?P<IP>[^ ]*)(?= )"
I am trying to extract the most common SID within a GAMESAPI log and use that value to search the access_log for the corrosponding IP addresses.
The following search returns the top SID:
sourcetype="GAMESAPI*" SID | rex field=_raw "\[SID\]\s=>\s(?<SID>[0-9]*)" | top SID limit=1 | table SID
And this search will return the IP address from the access_log:
sourcetype="access_log" | rex field=_raw "(?i)^(?P<IP>[^ ]*)(?= )"
Seperately, the two searches work, as a subsearch, they fail. Any ideas?
Your subsearch, if it produces a list if SID, will be expanded to something like:
((SID="1234") OR (SID="2345") OR (SID="3456"))
which means your resulting search will be:
sourcetype="access_log" ((SID="1234") OR (SID="2345") OR (SID="3456"))
I have no idea whether SID is extracted from access_log, but I'm guessing it's not, which would be the problem.