https://community.splunk.com/t5/Splunk-Search/Why-is-the-query-with-3-sub-search-returning-several-items/m-p/414559#M119425 <P>All three of the searches should have the same <CODE>earliest</CODE> and <CODE>latest</CODE> settings.</P> <P>If you problem is resolved, please accept the answer to help future readers.</P> Sat, 30 Jun 2018 18:58:21 GMT richgalloway 2018-06-30T18:58:21Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-query-with-3-sub-search-returning-several-items/m-p/414554#M119420 <P>Hello there ! </P> <P>This is my first post here <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /> I've already read a lot of query/answer, try a lot of things, but .... i'm still not getting something good <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <P>I'd need to mix 3 differents queries in order to get my final result. <BR /> I would like to be able to run only ONE query instead of doing step by step the 3 of them. </P> <P><STRONG>A. the first query : get the all transactionId</STRONG><BR /> Extract all fields called "transactionId" for one source where the word 'ERROR' is seen</P> <PRE><CODE>* "] ERROR" source=*exp* | table transactionId | dedup transactionId </CODE></PRE> <P>For example, this will return 2 lines : </P> <PRE><CODE>dd2ff560-7bcd-11e8-8ac7-005056ac4954 db846840-7bcd-11e8-8ac7-005056ac4954 </CODE></PRE> <P><STRONG>B. based on the transactionId found in query A, found the correlationId</STRONG> : </P> <PRE><CODE>* source=*mb05* HTTPHeaderHandler.InboundHeaders ( transactionId from query A ) | rename message_id as correlationId | table correlationId </CODE></PRE> <P>My query in a step by step mode looks like </P> <PRE><CODE>* source=*mb05* HTTPHeaderHandler.InboundHeaders (dd2ff560-7bcd-11e8-8ac7-005056ac4954 OR db846840-7bcd-11e8-8ac7-005056ac4954) | rename message_id as correlationId | table correlationId </CODE></PRE> <P>The result is 2 lines also : </P> <PRE><CODE>zz31ca20-7bcd-11e8-8ac7-005056ac4954 zz863d00-7bcd-11e8-8ac7-005056ac4954 </CODE></PRE> <P>_<EM>C. with the correlationId found on B get all the lines with Exception _</EM> : </P> <PRE><CODE>* source=*mb05* ExceptionHandler.HandledException ( correlationID from query B) | fields _raw </CODE></PRE> <P>In my step by step mode : </P> <PRE><CODE>* source=*mb05* ExceptionHandler.HandledException ( zz31ca20-7bcd-11e8-8ac7-005056ac4954 OR zz863d00-7bcd-11e8-8ac7-005056ac4954 ) | fields _raw </CODE></PRE> <P>That gives me the log that I'm looking for. <BR /> A bit annoying to do it step by step. </P> <P>So I'd like to get something like : </P> <PRE><CODE>* source=*mb05* ExceptionHandler.HandledException [ search source=*mb05* HTTPHeaderHandler.InboundHeaders [ search * "] ERROR" source=*exp* | table transactionId | dedup transactionId ] | rename message_id as correlationId | table correlationId ] | fields _raw </CODE></PRE> <P>If anybody has some clue to help me I will be more than happy ! <span class="lia-unicode-emoji" title=":grinning_face_with_smiling_eyes:">😄</span></P> <P>Thanks in advance for your help!</P> Fri, 29 Jun 2018 20:04:40 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-query-with-3-sub-search-returning-several-items/m-p/414554#M119420 tomtomFR 2018-06-29T20:04:40Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-query-with-3-sub-search-returning-several-items/m-p/414555#M119421 <P>Your final query is close to what I suggest. What do you get when you run it? BTW, <CODE>fields</CODE> is more efficient than <CODE>table</CODE> as an interim command.</P> <PRE><CODE>source=*mb05* ExceptionHandler.HandledException [ search source=*mb05* HTTPHeaderHandler.InboundHeaders [ search * "] ERROR" source=*exp* | stats list(transactionId) as transactionId | mvexpand | format ] | rename message_id as correlationId | fields correlationId | format ] | fields _raw </CODE></PRE> Fri, 29 Jun 2018 20:52:37 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-query-with-3-sub-search-returning-several-items/m-p/414555#M119421 richgalloway 2018-06-29T20:52:37Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-query-with-3-sub-search-returning-several-items/m-p/414556#M119422 <P>thanks for your answer @Rich</P> <P>I try to run your command, and just made a small change with mvexpand as it first failed :<BR /> (with error : "Error in 'mvexpand' command: A field name is expected." ) </P> <PRE><CODE>source=*mb05* ExceptionHandler.HandledException [ search source=*mb05* HTTPHeaderHandler.InboundHeaders [ search * "] ERROR" source=*exp* | stats list(transactionId) as transactionId | mvexpand transactionId | format ] | rename message_id as correlationId | fields correlationId | format ] | fields _raw </CODE></PRE> <P>The result is "no data found"</P> <P>I try to make it step by step<BR /> 1. the first part to get all transactionId =&gt; found the right ID<BR /> 2. then to get the correlationId =&gt; no more data</P> <P>I ran : </P> <PRE><CODE>* source=*mb05* HTTPHeaderHandler.InboundHeaders [ search * "] ERROR" source=*exp* | stats list(transactionId) as transactionId | mvexpand transactionId | format ] | rename message_id as correlationId | fields correlationId | format </CODE></PRE> <P>and I get the following table/result : </P> <H2>correlationId | search</H2> <P>&lt;&gt; | NOT()</P> <P>for the 1st part</P> <PRE><CODE>[ search * "] ERROR" source=*exp* | stats list(transactionId) as transactionId | mvexpand transactionId | format ] </CODE></PRE> <P>it's creating something like : </P> <PRE><CODE>( ( transactionId="dd2ff560-7bcd-11e8-8ac7-005056ac4954" ) OR ( transactionId="db846840-7bcd-11e8-8ac7-005056ac4954" ) ) </CODE></PRE> <P>this is why it failed ! <BR /> is it possible to get only something like : </P> <PRE><CODE>( ( "dd2ff560-7bcd-11e8-8ac7-005056ac4954" ) OR ( "db846840-7bcd-11e8-8ac7-005056ac4954" ) ) </CODE></PRE> <P>?</P> Fri, 29 Jun 2018 21:15:58 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-query-with-3-sub-search-returning-several-items/m-p/414556#M119422 tomtomFR 2018-06-29T21:15:58Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-query-with-3-sub-search-returning-several-items/m-p/414557#M119423 <P>@Richgalloway you're my heroe !! (l)</P> <P>using this link : <A href="https://answers.splunk.com/answers/1212/can-a-subsearch-return-only-the-value-without-the-fieldname.html">https://answers.splunk.com/answers/1212/can-a-subsearch-return-only-the-value-without-the-fieldname.html</A> </P> <P>I found how to reply to my last question. </P> <P>So I try something new with your reply, and now that's working perfectly !!! </P> <PRE><CODE>source=*mb05* ExceptionHandler.HandledException [ search source=*mb05* HTTPHeaderHandler.InboundHeaders [ search * "] ERROR" source=*exp* | stats list(transactionId) as search | mvexpand search | format ] | stats list(message_id) as search | format ] | fields _raw </CODE></PRE> <P>Thanks a lot !!!!!</P> Fri, 29 Jun 2018 21:25:08 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-query-with-3-sub-search-returning-several-items/m-p/414557#M119423 tomtomFR 2018-06-29T21:25:08Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-query-with-3-sub-search-returning-several-items/m-p/414558#M119424 <P>one more question still <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> </P> <P>where should I put the earliest and latest command to make the query(ies) more efficient ? <BR /> on the 3 of them ? only on the one to get the transactionId ? ...? </P> Fri, 29 Jun 2018 21:29:11 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-query-with-3-sub-search-returning-several-items/m-p/414558#M119424 tomtomFR 2018-06-29T21:29:11Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-query-with-3-sub-search-returning-several-items/m-p/414559#M119425 <P>All three of the searches should have the same <CODE>earliest</CODE> and <CODE>latest</CODE> settings.</P> <P>If you problem is resolved, please accept the answer to help future readers.</P> Sat, 30 Jun 2018 18:58:21 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-query-with-3-sub-search-returning-several-items/m-p/414559#M119425 richgalloway 2018-06-30T18:58:21Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-query-with-3-sub-search-returning-several-items/m-p/414560#M119426 <P>thanks to @richgalloway<BR /> and a quick look at this link <A href="https://answers.splunk.com/answers/1212/can-a-subsearch-return-only-the-value-without-the-fieldname.html">https://answers.splunk.com/answers/1212/can-a-subsearch-return-only-the-value-without-the-fieldname.html</A> </P> <P>the final answer is : </P> <PRE><CODE>source=*mb05* ExceptionHandler.HandledException [ search source=*mb05* HTTPHeaderHandler.InboundHeaders [ search * "] ERROR" source=*exp* | stats list(transactionId) as search | mvexpand search | format ] | stats list(message_id) as search | format ] | fields _raw </CODE></PRE> Sat, 30 Jun 2018 20:10:00 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-query-with-3-sub-search-returning-several-items/m-p/414560#M119426 tomtomFR 2018-06-30T20:10:00Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-query-with-3-sub-search-returning-several-items/m-p/414561#M119427 <P>@tomtomFR If your problem is resolved, please accept an answer to help future readers.</P> Sun, 01 Jul 2018 12:26:12 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-query-with-3-sub-search-returning-several-items/m-p/414561#M119427 richgalloway 2018-07-01T12:26:12Z