Solved: EVAL with Sub search

Reddy_dash · ‎09-17-2020

Hi Friends,

If I execute below highlighted query I am getting the result where when I supply the result as search it is not returning any result

index=* env=X1 SourceName=*api* [search index=* env=X1 SourceName=*api* "Transaction" | eval "TraceID"=substr(Message,85,36) | table "TraceID"]

Please help on this.

Thanks

richgalloway · ‎09-17-2020

If you run the subsearch with | format appended to it then you'll see what is added on to the main search. That has to make sense with your data to get resuits. I suspect your subsearch is producing a result like this:

(TraceID="foo" OR TraceID="bar" OR TraceID="baz")

If the events do not contain a field called "TraceID" then no results will be found.

Try this subsearch, instead.

search index=* env=X1 SourceName=*api* "Transaction" | eval "TraceID"=substr(Message,85,36) | return 1000 $TraceID

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎09-17-2020

If you run the subsearch with | format appended to it then you'll see what is added on to the main search. That has to make sense with your data to get resuits. I suspect your subsearch is producing a result like this:

(TraceID="foo" OR TraceID="bar" OR TraceID="baz")

If the events do not contain a field called "TraceID" then no results will be found.

Try this subsearch, instead.

search index=* env=X1 SourceName=*api* "Transaction" | eval "TraceID"=substr(Message,85,36) | return 1000 $TraceID

---
If this reply helps you, Karma would be appreciated.

EVAL with Sub search

search job inspector

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...