topic use IN command with subsearch in Splunk Dev

use IN command with subsearch

sarit_s — Wed, 25 Nov 2020 14:39:25 GMT

Hello
i want to use IN command with subsearch like in the query above:

| tstats summariesonly=true allow_old_summaries=true max(_time) as _time, values("events.eventtype") as eventtype FROM datamodel=events_prod WHERE "events.kafka_uuid" IN ("search= [ | inputlookup kv_alerts_prod where _key="5f" | table uuids]") BY "events.kafka_uuid", "events.tail_id", "events._indextime", "events._raw", source, sourcetype

this query returns no results.. what am i missing ?

Re: use IN command with subsearch

richgalloway — Wed, 25 Nov 2020 20:55:24 GMT

Check the search log to see how Splunk is parsing that query. I suspect the contents of the IN argument is being treated literally instead of as a subsearch.

If the subsearch is being processed then it's possible it's not returning a valid argument for IN. Run the subsearch by itself with | format on the end to see the exact string returned. Adjust the subsearch as needed to make the returned value a valid IN argument.