So I have this search that I believe makes other searches from a list of regexs that I have stored in a csv.
[| inputlookup regex_test.csv
| eval search_this = "[search sourcetype=proxy | regex uri=\""+RegEx+"\"]"
| stats values(search_this) AS all_searches
| eval search="| multisearch "+search
| eval search=mvjoin(all_searches, " ")
| fields search ]
The above search fails:
Search process did not exit cleanly, exit_code=0, description="killed by signal 6: Aborted". Please look in search.log for this peer in the Job Inspector for more info.
However the search that is created from the query above does not fail when you input into the search bar (yes it returns results on match):
| multisearch [search sourcetype=proxy | regex uri="^http:\/\/(?:(?!www|authorize|sdranch|azbar|finra|porsche|money|blog|forums?|it)[^\x2e]+\.[^\x2e]+\.com[^\x2f]*|[^\x2e]+\.tk)\/[ik](?=[^\n]{0,500}[a-z\x2d]{17,100})(?=[^\n]{0,500}[a-z\/\x2d]{60,200})(?:[a-z\x2d]+\/){4,32}(?:index\.html)?$"] [search sourcetype=proxy | regex uri="^http:\/\/[^\x2f]+\.[a-z]{2}\/(?=[^\x3f]+[a-z0-9]{17,}\/)(?:[a-z0-9]+\/){2,}(?:index\.php)?$"]
Apart from additional caffeine, what am I missing to make this great success?
Have I chosen the wrong command or the wrong way to go about creating this search of searches? The goal is to have a list of RegEx,Comment and search for matches against each RegEx in the list.
Thanks for taking some time to think about this one!
↧