dbxquery query'select sku from purchaseorderslineitem. Now if you configure an automatic extraction in props. Hi Splunkers, We are trying to pass variables from the subsearch to search, in this case from the subsearch we are getting 3 fields which will need to be in the SQL of the search. Then your search can be much shorter, and faster as well, since we can use the index to look for the ip, rather than perform a full table scan: host=linux1 DHCPACK Now if you configure an automatic extraction in nf for this data say: You just need to tell Splunk that you want the output of the subsearch to be an argument to the search command and also that the Source_Network_Address field should be called "ip" in the outer search: host=linux1 DHCPACK | rex field=_raw "on (?.*) to (?.*)" | search A subsearch in Splunk is a unique way to stitch together results from your data. * sourcetype=WinEventLog:Security Options|Īttempted search query (part of the one above): host=linux1 DHCPACK | rex field=_raw "on (?.*) to (?.*)" Logon GUID: Ĭollapse back to 10 lines * host=dc2 Options| Message=Successful Network Logon: User Name: > Sid=S-1-5-21-767897961-102478171-4665678964-895678 remove the word 'EmailAddress' - I assume you want to look for a field that is called EmailAddress in the firstIndex data using the values coming from the subsearch, but with this search you are looking for the WORD EmailAddress as well as the value of the EmailAddress FIELD coming from. Any ideas to get the query working right? Thanks for the helpĪug 11 14:29:19 linux1 dhcpd: DHCPACK on 10.182.171.65 to 00:xx:12:xx:x0:xc via 10.182.171.2 * host=linux1 Options| It's giving me various errors, however- not to mention that the current query is incomplete. In this section, we are going to learn about the Sub-searching in the Splunk platform. Which finds the latest login from the given username, extracts the ip address from the event log, and then finds and returns the mac address via some DHCP logs (matching the IPs) this is so that we can find the physical location of the machine. If not specified, spaces and tabs are removed from the right side of the. You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |