cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
gillockb
Explorer
Member since: ‎10-25-2021
‎06-08-2022
Community Statistics
Posts 3
Solutions 1
Karma Given 8
Karma Received 0
Member Since ‎10-25-2021
Activity Feed
Topics I've Started
View All

Re: Subsearch not returning any results

by in Splunk Search
‎11-10-2021 10:28 AM
‎11-10-2021 10:28 AM
Bah!  I figured it out.  I did not realize the format command was being applied to the subsearch resulting in  ( ( GUID="7c10cfbc-6892-4590-a05c-c12acf16932b" ) ) instead of just the GUID value.  And as the raw data does not contain a GUID field, there was nothing to match it to.  Since I constructed the subsearch in the Search app it was giving me just the value I was looking for.  Hard lesson learned...   I ran an Extract  New Fields to create the GUID field from the raw data and now am receiving the results I desire.  Thanks all for taking a look and thanks again, JC for trying to help! ... View more

Re: Subsearch not returning any results

by in Splunk Search
‎11-09-2021 10:45 AM
‎11-09-2021 10:45 AM
Thank you, JC.  I very much appreciate the assist, unfortunately that didn't help.  Returns no results again. The regex actually provides me with the GUID.  It's a much longer string in the logs.  And the first query with the GUID hardcoded gives me the final results I'm looking for. Thanks again!  Cheers, Brian ... View more

Subsearch not returning any results

by in Splunk Search
‎11-09-2021 07:11 AM
‎11-09-2021 07:11 AM
Hello Splunksters, I'm new to Splunk and am constructing my first subsearch.  I've read the documentation on subsearches, but am apparently missing something fundamental.  I have a log file that captures and records events based on a GUID.  Obviously GUIDs aren't something one goes searching for directly.  The primary search is by phone number.  So, I need to accept a phone number, retrieve the associated GUID and then return all the results tied to that GUID.  I have the search retrieving the GUID working, and want to use that as the subsearch. Ultimate search I wish to run: index="myIndex" sourcetype="mySourceType" 7c10cfbc-6892-4590-a05c-c12acf16932b   Search retrieving GUID (this works): index="myIndex" host="myHost" sourcetype="mySourceType" <phoneNumber> | rex field=_raw "(?<GUID>\].*$$)" | rex field=GUID "(?<GUID>[^NAME]+)" | eval GUID=replace(GUID, "]", "") | rex field=GUID mode=sed "s/(^\s+)|(\s+$)//g" | dedup GUID | table GUID   What I thought the subsearch should look like: index="myIndex" sourcetype="mySourceType" [search index="myIndex" host="myHost" sourcetype="mySourceType" <phoneNumber> | rex field=_raw "(?<GUID>\].*$$)" | rex field=GUID "(?<GUID>[^NAME]+)" | eval GUID=replace(GUID, "]", "") | rex field=GUID mode=sed "s/(^\s+)|(\s+$)//g" | dedup GUID | table GUID] Everything in the [] returns the GUID, as I understand the doc, that should be what is searched for in the main search.  What am I missing? Thank you! Brian ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎06-08-2022 08:37 AM
Karma given to