topic Re: Mechanism to return fields not part of a query from subsearch in Splunk Search

Mechanism to return fields not part of a query from subsearch

rdownie — Wed, 28 Aug 2013 00:56:13 GMT

index=abc [index=def a=b | fields c,d,e | format]

will create something like

index=abc (c=blah) AND (d=foo) AND (e=bar)

Instead of e being part of the search, I just want the value of e to be used later in the primary search possibly in a table? I lose the values of the fields in the subsearch. I tried outputing them to an outputlookup in the subsearch and then doing a lookup to pull them back but it appears the outputlookup doesn't flush them out to the file quick enough. If I re-run the search, I will get those results but that is a hack. Any ideas here?

Thanks,

-Bob

Re: Mechanism to return fields not part of a query from subsearch

wpreston — Wed, 28 Aug 2013 01:25:08 GMT

I'm not sure I understand your aim, but could you use append, appendcols, or join to get what you need instead of having a subsearch in your primary search?

Re: Mechanism to return fields not part of a query from subsearch

lukejadamec — Wed, 28 Aug 2013 01:27:26 GMT

You made fields part of the result, so it ends up in the result. It does not appear to be part of the search, but if the event contains e and you make e part of your result, then you will end up with e. That's just the way it is.