Hi,
I'm on 6.1.1 and I need to interrogate two different indexes, so I thought the multisearch command would be up for the job.
the first search is:
index=a sourcetype=b f1!="" f2!="stuff" f2!="stuff" f2!="sti=stuff"
| rex max_match=0 field=f3 "\/\/(?P[a-zA-Z0-9\-\.]+)"
| regex fqdn="(^|\s)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
| search NOT [|inputlookup file1 | fields xf4 | rename f4 as f4]
| fields f1 f2 f3 f4 f5 f6 f7
| fields - _raw
| mvexpand f5
| search f5!=*.jpg f5!=*.jpeg f5!=*.gif f5!=*.txt f5!=*.png
| mvexpand nf
| regex nf="(^|\s)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
| regex f5="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
| search nf!="10.0.0.0/8" nf!="172.16.0.0/12" nf!="127.0.0.1" nf!="192.168.0.0/16"
| eval check=1
Second search:
index=c sourcetype=d earliest=-2d f9=0 f10=0
| regex b_f="^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
| fields b_f
| eval check=2
with multisearch:
|multisearch
[search index=a sourcetype=b f1!="" f2!="stuff" f2!="stuff" f2!="sti=stuff"
| rex max_match=0 field=f3 "\/\/(?P[a-zA-Z0-9\-\.]+)"
| regex fqdn="(^|\s)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
| search NOT [|inputlookup file1 | fields xf4 | rename f4 as f4]
| fields f1 f2 f3 f4 f5 f6 f7
| fields - _raw
| mvexpand f5
| search f5!=*.jpg f5!=*.jpeg f5!=*.gif f5!=*.txt f5!=*.png
| mvexpand nf
| regex nf="(^|\s)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
| regex f5="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
| search nf!="10.0.0.0/8" nf!="172.16.0.0/12" nf!="127.0.0.1" nf!="192.168.0.0/16"
| eval check=1]
[search index=c sourcetype=d earliest=-2d f9=0 f10=0
| regex b_f="^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
| fields b_f
| eval check=2]
Both searches when I run them on their own return events, but with multisearch no joy.
Am I missing something?
why do I only get results from the second search?
thanks in advance for any pointers!
↧