Problem correlating results in a subsearch

[jimmony]

Hello,

I've been trying to get a subsearch to work but it doesn't seem to do what i expect. I've boiled down what i'm doing to the following scenario...

query: class=bro_http srcip:"192.168.1.1" groupby:dstip expected result: [192.168.101.10, 192.168.13.7] actual result: [192.168.101.10, 192.168.13.7]

query: class=bro_conn srcip:"192.168.1.1" groupby:dstip expected result: [192.168.101.10, 192.168.13.7] actual result: [192.168.101.10, 192.168.13.7]

query: class=bro_http srcip:"192.168.1.1" groupby:dstip | subsearch(class=bro_conn groupby:dstip,dstip) expected result: [192.168.101.10, 192.168.13.7] actual result: []

I though that the sub search must be creating a query where the input IPs were ANDed together however after looking into the code in Query.pm it seems that they are OR'd together. If i force the initial query to return only one dstip then the result still comes back empty so there must be more to it.

If i leave out the second parameter of subsearch() then i get a lot of results but it does not constrain the ips to the dstip.

Id be happy to look into this further but i cannot seem to see the subsearch query being written to a log... line 795: $self->log->trace('Subsearch query: ' . $subsearch_query_string);

All the best

Jim