Re: Using subsearch results to loop through anothe...

jeck11 · ‎11-03-2022

I have been reviewing the countless other postings on subsearches but I can't pull them all together to figure out our issue.

This first search builds a list of carts that we need to find the contents of:

index="name" "Authorization was not successful!" AND /placeorder
| rex field=_raw "/carts/(?<cart>.+)/placeorder" | dedup cart | table cart

This is where I run into issues. I need to take the table created in that search and find all of the items contained in them.

Here is the search for a single cart from that list:

index="name" "3322830131/processCheckout" AND "\"paymentProvider\":\"PayPal\""

My thought is that I need to cycle through the table from the subsearch, replacing the number in this search, then finally building a visualization that shows the contents of each cart using the most recent event in the second search.

Am I way off? This seems pretty easy but I can't figure it out. TYIA

ITWhisperer · ‎11-03-2022

Try something like this

index="name" "\"paymentProvider\":\"PayPal\"" [ search index="name" "Authorization was not successful!" AND /placeorder
| rex field=_raw "/carts/(?<cart>.+)/placeorder" | dedup cart | eval search=cart."/processCheckout" | fields search | format ]

The field "search" is given special treatment by format such that just the values are kept, not the field name i.e. "value" rather than 'search="value"'

Using subsearch results to loop through another search?

subsearch

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases