Splunk Search

Adjusting quotes from subquery using format

alancalvitti
Path Finder

I'd like to (1) use a subquery to extract a list of deviceId's then (2) search the same index for all events containing any of those devices returned by the subquery.

However, format puts quotes around each deviceId value only: deviceId="abc123" rather than around the equal sign: "deviceId=abc123" .

Consequently the outer search doesn't match any events, while the latter modified form does. Is there an option for format to adjust quotes accordingly? Concrete example (1)

index=myIndex DeviceLog | rex "(?i)deviceId=(?P<DevId>[^ ]+)" | stats values(DevId) as deviceId | format

returns a list of the form:

( ( ( deviceId="0002ac61d" OR deviceId="0003511e" ... OR deviceId="0006ecff" ) ) )

But the query/subquery combination doesn't match any events:

index=myIndex DeviceLog [search index=myIndex DeviceLog | rex "(?i)deviceId=(?P<DevId>[^ ]+)" | stats values(DevId) as deviceId | format]

I've also tried a subquery variation using return like this:

...| dedup DevId | return 100000 $DevId]

this almost works because it matches the deviceId values but doesn't match the key prefix deviceId= which can result in false positives (cookies caching device id's in different parts of the device log)

Tags (2)
0 Karma

to4kawa
Ultra Champion
index=myIndex DeviceLog "deviceId="

Is this the same result?

alancalvitti
Path Finder

@to4kawa, can you be more specific as to where "deviceId=" in your answer should go? I tried it in the outer query like this index=myIndex DeviceLog "deviceId=" [search index=myIndex DeviceLog | rex ... but got zero matches.

0 Karma

alancalvitti
Path Finder

I see now it works with the last variation using return statement, thanks.

0 Karma

jacobpevans
Motivator

Don't forget to mark the answer if it helped you resolve your problem for others in the future.

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...