topic Re: Only one value from subsearch being used by parent in Splunk Search

Only one value from subsearch being used by parent

775149 — Sun, 13 Oct 2019 21:29:34 GMT

I would like all the results from a field extraction in search "A" to be used as search criteria in search "B". I am using a subsearch for this, however for some reason only the top result for the field in search "A" is being used in search "B", where I want all the values to be used. Individually search A returns multiple results, and I can find these results in search B but not together:

index=<my_index> sourcetype=<my_sourcetype> other search foo [search index=<my_other_index> sourcetype=<another_sourcetype> extra search foo | rex field=_raw "some regex(?<my_field>)" | dedup my_field | fields my_field | rename my_field as search ]

For example my_field should return a bunch of values e.g. 1, 2, 3, 4, 5 but only "1" is being used in the parent search.

Any ideas why it isn't using all of the values with implicit "OR" between??

Re: Only one value from subsearch being used by parent

MuS — Mon, 14 Oct 2019 00:38:05 GMT

Hi 775149,

give format a try https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/format

Hope this helps ...

cheers, MuS

Re: Only one value from subsearch being used by parent

775149 — Mon, 14 Oct 2019 03:16:17 GMT

Perfect, thanks can't believe it was so simple after all that googling

index=<my_index> sourcetype=<my_sourcetype> other search foo [search index=<my_other_index> sourcetype=<another_sourcetype> extra search foo | rex field=_raw "some regex(?<my_field>)" | dedup my_field | fields my_field | rename my_field as search | format ]