Also, please check the attached pic of splunk running in my UI. Please check and let me know what else i can do to make it work. Hi, perhaps it is the wrong approach, but i try to use an inputlookup within a search and pass a value to this subsearch. Sourcetype=sample*-cloudwatch-logs file.txt | rex "RequestId: (?*)\s" | table reqid | dedup rex "uploaded to: s3:\/\/sample.*?-test-.*?-us-east-1-s3/transmit-os/(?.*)" | table filenameIf for some reason log is not available as a field, you should extract the full JSON object that contains 'log' as a key, extract that JSON with spath, then extract fields contained in log using spath. ![]() I have looked at the documentation on fields and format, multiple questions here, however I cannot get what I think should be a simple query to work properly. I want to output just a simple 'Yes' if it exists in the separate source. The best way to extract structured data is spath. I would like to do a subsearch with the MAC address, but cannot pass the MAC to the subsearch to work properly. This is an overly simplistic example, but should give you an idea of how it's used: First, craft your subsearch that will give you the fields you care about. I've tried using the 'search' command and 'foreach' command, but have had no joy. 4 Answers Sorted by: 7 the FORMAT command can be particularly useful for this. ![]() Its taking the command as whole instaed of running first query and then pass it as an input to second query. You dont need rex to extract requestType. Run the event log query for users that exist in the array, e.g.: using semantics such as isin () or contains () or ii) Enumerate the group members and perform a foreach () type loop. ![]() Below is the screen shot of running two commands as one in splunk search.
0 Comments
Leave a Reply. |