Hello,
I'm running into a problem where if I nest subsearches too far, I start to return no results. I'm unable to find a published limit of nesting, though. Is there one?
The search I'm trying to run can be paraphrased like so:
sourcetype=weblogs status=200 OR status=410 [search sourcetype=weblogs status=200 earliest=-3d@d latest=now request="GET /path/*" [search sourcetype=weblogs request="GET /path/*" status=410 earliest=-3d@d latest=now [search sourcetype=firewalllogs "/blocked/" earliest=-3d@d latest=now | dedup ip | table ip] | dedup ip | table ip] | dedup ip | table ip] | chart count over ip by status
In plainspeak: I have a firewall listing of IP addresses that have been blocked and I put that into a table. I use that table to find web requests that have a status=410 and put all those IP addresses into a table. I then use that table to find web requests that have a status=200 and put all those IP addresses into a table.
This table now has the IP addresses of people who have been blocked by the firewall and also seen status=200 AND status=456 at some point in the last 3 days. And this works (returning about 40 addresses) until I put that final wrapper on it to show the counts by status, at which point I get no results.
↧