Splunk Search

Subsearch fails but the results it produces work

pmelon
Explorer

In searching this I am reaching the conclusion that subsearches are viewed with some disdain by the more experienced Splunkers. I get that, so if there is a better way of carrying out what's I'm trying to achieve please shout!

I have Sendmail logs. I have a few users sent a dodgy email, so I search for the email address string. I pull out the message ID for those and plonk them in a subsearch. I then use this to search for the all the 'to' address fields. End result is I have a list of everyone who got the dodgy email. Search is:

index=email [search index=email from=bad_email_address | rex mode=sed field=msgid "s/[<>]//g" | rename msgid as search | table search] to=*

That only finds the first email. However, if I get the output of the subsearch by piping to format then copy and paste that into the search, replacing the subsearch, it works. Does anyone know why?

So, to be clear, the subsearch as above returns one result. If I manually copy and paste the results of the subsearch (which, to my mind is what the subsearch is dumping into the search anyway), it works as expected. I'm stripping the <> off the message ID as the 'to' event in the sendmail logs doesn't have them.

0 Karma
1 Solution

pmelon
Explorer

Well I had read that people considered subsearches a last resort and I understand why now. I used the following in the end:

index=email "to=" OR "from=" | transaction sendmail_id startswith=from endswith=to | search from="" stat=Sent

Much nicer.

View solution in original post

0 Karma

pmelon
Explorer

Well I had read that people considered subsearches a last resort and I understand why now. I used the following in the end:

index=email "to=" OR "from=" | transaction sendmail_id startswith=from endswith=to | search from="" stat=Sent

Much nicer.

0 Karma

knielsen
Contributor

I wasn't even aware that "search" seems to be a reserved field name for an inner search used this way. And yes, it only seems to give back the first result, not the whole table, as search input for the base search.

So the rexed msgid is part of the "to" field? Then try this maybe:

index=email [search index=email from=bad_email_address | rex mode=sed field=msgid "s/[<>]//g" | eval to="*".msgid."*" | fields to ]

Thats will resolve to

 index=email (to=*msgid1*) OR (to=msgid2) OR (to=... etc

You are limited to 50000 msgids that with that.

0 Karma

pmelon
Explorer

I should have been more clear, sorry. The 'from' events are separate to the 'to' events. Does that not mean eval to="*" would fail?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...