Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

subsearch not help

mcbradford
Contributor
‎03-12-2013 01:32 PM

I asked this earlier and the solution did not work, so I am asking again. I think I am really close...

Basically what I want to do is look at the previuos week for installed products, take the list and then compare it against what has been installed this week and tell me what is new.

For starters, this will provide me the list:

index=windows sourcetype="wineventlog:application" SourceName=MsiInstaller EventCode=11707 | dedup _raw | rex field=Message "(?s)Product: (?<product_name>.*) --"  | fields product_name

I can take this as a subsearch with an earliest= -7d

Pass the results back to the first, but I need to NOT the products installed.

index=windows sourcetype="wineventlog:application" SourceName=MsiInstaller EventCode=11707 | dedup _raw | rex field=Message "(?s)Product: (?<product_name>.*) --"  | fields product_name | format "NOT(" "" "" "" "OR" ")"

When I try this...

index=windows sourcetype="wineventlog:application" SourceName=MsiInstaller EventCode=11707 | dedup _raw | rex field=Message "(?s)Product: (?<product_name>.*) --"  | fields product_name[search index=windows sourcetype="wineventlog:application" SourceName=MsiInstaller EventCode=11707  earliest= -7d| dedup _raw | rex field=Message "(?s)Product: (?<product_name>.*) --"  | fields product_name | format "NOT(" "" "" "" "OR" ")"]

I get an error:

Error in 'fields' command: Invalid argument: 'product_name=product installed name'

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-12-2013 01:46 PM

It is what it says on the tin - the argument you pass to fields is invalid:

... | fields product_name[search something something ...

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-12-2013 01:46 PM

It is what it says on the tin - the argument you pass to fields is invalid:

... | fields product_name[search something something ...
0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-13-2013 02:49 AM

Assuming you want to filter the main search by the subsearch, try something like this:

... | fields product_name | search [search something something ...

This way the subsearch is used as an argument for a search command, not mangled into the fields command which obviously cannot understand it.

0 Karma
Reply
Solved! Jump to solution

riqbal47010
Path Finder
‎11-13-2019 11:43 PM

hi

are you able to get the desired results ?

0 Karma
Reply
Solved! Jump to solution

mcbradford
Contributor
‎03-12-2013 02:14 PM

I get that! So what would the correct search look like.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...