bacchussr,
I got this to work by modifying the output of the subsearch using a combination of renaming the data field to query so only fields values are passed back to the main search and reformatting what is passed back to use the CASE() function using the format command.
I did this by adding the following to the end of your subsearch:
| rename qid AS query| format "(" "CASE(" "AND" ")" "OR" ")"
So the entire search is this:
index=sendmail host=mail-gw* [ search index=sendmail host=mail-gw* to="someone@example.org" | fields qid | rename qid AS query | format "(" "CASE(" "AND" ")" "OR" ")" ] | transaction qid
Behind the scenes, this changes the litsearch from looking something like this:
index=sendmail ( ( index=sendmail) AND ( qid=v6F1cQ7Q008732 ) ) OR ( ( index=sendmail) AND ( ( qid=v6F1OVwW030445 ) ) OR ( ( index=sendmail) AND ( ( qid= v6F1DS7p016069 ) ) OR ...
to looking something like this:
index=sendmail ( CASE( v6F1cQ7Q008732 ) OR CASE( v6F1OVwW030445 ) OR CASE( v6F1DS7p016069 ) OR CASE( v6F18fBE012916 ) OR CASE( v6F0X9nx005820 ) OR CASE( v6EAoQkO026448 ) OR ...
Which causes the main search to interpret the qid values passed into the CASE() function and transact the qid's preserving case.
You can find more information about this in the splunk formatting exceptions documentation, the search reference page for the format command, and this excellent post.
I hope this helps, I know it has helped us get accurate results from case sensitive subsearches!
... View more