topic Re: splunk query with sub search not returning the desired results in Splunk Search

splunk query with sub search not returning the desired results

vivek991985 — Wed, 30 Sep 2020 01:44:30 GMT

Query is:
index=xyz source ="File1.log" [ search index=xyz source="File2.log" search_input | rex ".]*Rpc id :(?[0-9][0-9][0-9][0-9][0-9][0-9])" | eval ID = "" + ID + "*" | return $ID ]

It returns the results for ID='2138536' (2 events as expected) but also returns additional events (5 more message events) for other IDs.

Please advise if there is anything wrong with the query.

Re: splunk query with sub search not returning the desired results

vivek991985 — Thu, 15 Aug 2019 07:12:47 GMT

Corrected:

index=xyz source ="File1.log" [ search index=xyz source="File2.log" search_input | rex ".]Rpc id :(?[0-9][0-9][0-9][0-9][0-9][0-9])" | eval ID = "" + ID + "" | return $ID ]

Re: splunk query with sub search not returning the desired results

richgalloway — Thu, 15 Aug 2019 12:54:19 GMT

Run the subsearch by itself to see what results it produces. Those results will be what the main search looks for so make sure they are correct before continuing.

Re: splunk query with sub search not returning the desired results

vinaypradhan — Thu, 15 Aug 2019 13:07:33 GMT

what is the logic of the result that you are expecting? are you expecting to see only the common ones between File1.log and File2,log ? you can try using set intersect here, which should get you only the common entries.
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Set