https://community.splunk.com/t5/Splunk-Search/Help-with-a-nested-search-not-returning-any-data/m-p/480196#M134586 <P>I am running a nested search but does not return any data.</P> <P>However, when I run the search separately it does.</P> <P>The full search with no results is:</P> <PRE><CODE>index="f5-default" [search index="cisco_asa" host="192.168.5.x" dest_ip="172.16.5.57" | stats count by session_id src_ip | where count=2 | dedup src_ip | rename src_ip as IP | table IP] </CODE></PRE> <P>But my first search:</P> <PRE><CODE>index="cisco_asa" host="192.168.5.2" dest_ip="172.16.5.57" src_ip!="208.94.147.100" src_ip="40.77.167.108" | stats count by session_id src_ip | where count=2 | dedup src_ip | rename src_ip as IP | table IP </CODE></PRE> <P>or </P> <PRE><CODE>index="f5-default" </CODE></PRE> <P>I get events.</P> Fri, 08 Nov 2019 18:52:46 GMT lamelendrez 2019-11-08T18:52:46Z https://community.splunk.com/t5/Splunk-Search/Help-with-a-nested-search-not-returning-any-data/m-p/480196#M134586 <P>I am running a nested search but does not return any data.</P> <P>However, when I run the search separately it does.</P> <P>The full search with no results is:</P> <PRE><CODE>index="f5-default" [search index="cisco_asa" host="192.168.5.x" dest_ip="172.16.5.57" | stats count by session_id src_ip | where count=2 | dedup src_ip | rename src_ip as IP | table IP] </CODE></PRE> <P>But my first search:</P> <PRE><CODE>index="cisco_asa" host="192.168.5.2" dest_ip="172.16.5.57" src_ip!="208.94.147.100" src_ip="40.77.167.108" | stats count by session_id src_ip | where count=2 | dedup src_ip | rename src_ip as IP | table IP </CODE></PRE> <P>or </P> <PRE><CODE>index="f5-default" </CODE></PRE> <P>I get events.</P> Fri, 08 Nov 2019 18:52:46 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-a-nested-search-not-returning-any-data/m-p/480196#M134586 lamelendrez 2019-11-08T18:52:46Z https://community.splunk.com/t5/Splunk-Search/Help-with-a-nested-search-not-returning-any-data/m-p/480197#M134587 <P>Subsearches become literal text in their main searches. If the subsearch results in 3 IP addresses like <CODE>10.2.3.4, 10.3.4.5, 10.4.5.6</CODE> then the full search will be <CODE>index="f5-default 10.2.3.4 10.3.4.5 10.4.5.6</CODE> which means all three IP addresses have to be present in an event to show up. Try this query:</P> <PRE><CODE>index="f5-default" [search index="cisco_asa" host="192.168.5.x" dest_ip="172.16.5.57" | stats count by session_id src_ip | where count=2 | dedup src_ip | rename src_ip as IP | fields IP | format] </CODE></PRE> <P>The <CODE>format</CODE> command adds <CODE>OR</CODE> operators between the results so you get a final search that looks like <CODE>index="f5-default (IP=10.2.3.4 OR IP=10.3.4.5 OR IP=10.4.5.6)</CODE>, which should work better.</P> Fri, 08 Nov 2019 19:54:25 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-a-nested-search-not-returning-any-data/m-p/480197#M134587 richgalloway 2019-11-08T19:54:25Z https://community.splunk.com/t5/Splunk-Search/Help-with-a-nested-search-not-returning-any-data/m-p/480198#M134588 <P>Does the index f5-default have a field named IP?</P> <P>You could try getting your subsearch to return a plain text filter like this</P> <PRE><CODE>index="f5-default" [search index="cisco_asa" host="192.168.5.x" dest_ip="172.16.5.57" | stats count by session_id src_ip | where count=2 | dedup src_ip | fields src_ip | rename src_ip as search] </CODE></PRE> <P>Documentation here - <A href="https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Search/Changetheformatofsubsearchresults">https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Search/Changetheformatofsubsearchresults</A></P> Sat, 09 Nov 2019 19:13:59 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-a-nested-search-not-returning-any-data/m-p/480198#M134588 arjunpkishore5 2019-11-09T19:13:59Z https://community.splunk.com/t5/Splunk-Search/Help-with-a-nested-search-not-returning-any-data/m-p/480199#M134589 <P>Your search assumes that the field with the IPAddress in <CODE>index="f5-default"</CODE> is named <CODE>IP</CODE> which evidently it is not (otherwise it would DEFINITELY work). Fix the <CODE>| rename src_ip AS IP</CODE> to the correct field name.</P> Sat, 09 Nov 2019 23:26:13 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-a-nested-search-not-returning-any-data/m-p/480199#M134589 woodcock 2019-11-09T23:26:13Z