topic Re: "Unknown search command" with subsearch in Splunk Search

"Unknown search command" with subsearch

chrlshrnbrgr — Wed, 13 Mar 2013 15:11:11 GMT

I'm stumbing over subsearches.

In our system, app server logs contain an SID (session ID). It's trivial to find all (valid/known) SIDs for a given account with:

SID!=SID_UNKNOWN sourcetype=unicorn account="customer@example.com" | top SID | table SID

I can also break down the status codes easily:

sourcetype=unicorn HTTP_CODE>=400 | top HTTP_CODE

But I can't figure out how to put the two together using a subsearch. If I try:

sourcetype=unicorn HTTP_CODE>=400 | top HTTP_CODE [ SID!=SID_UNKNOWN sourcetype=unicorn account="customer@example.com" | top SID | table SID ]

I get:

Unknown search command 'sid'.

What am I missing here?

Re: "Unknown search command" with subsearch

martin_mueller — Wed, 13 Mar 2013 15:13:24 GMT

You need to call a command first, such as "search". For the main query that is prepended by default. Something like this:

... [search SID=...

I'm not sure what you want to do though, since you're passing the result of the subsearch to the top command, which doesn't support this.

Re: "Unknown search command" with subsearch

chrlshrnbrgr — Wed, 13 Mar 2013 15:25:51 GMT

Thanks, I figured out the same by looking thru other questions tagged with subsearch. Here's what I ended up with:

sourcetype=unicorn HTTP_CODE>=400 [ | search SID!=SID_UNKNOWN sourcetype=unicorn account=customer@example.com | top SID | table SID ] | top HTTP_CODE

Re: "Unknown search command" with subsearch

martin_mueller — Wed, 13 Mar 2013 15:28:41 GMT

Take a look at the return command in the splunk docs as well.

Re: "Unknown search command" with subsearch

gkanapathy — Wed, 13 Mar 2013 15:52:38 GMT

You don't the | at the start of the subsearch. It's implicit, which is why there's an error in the first place.

Re: "Unknown search command" with subsearch

jonuwz — Wed, 13 Mar 2013 15:54:04 GMT

"It's trivial to find all" - top does not return all the SIDS.

[ ... | fields SID | dedup SID ]

will

Re: "Unknown search command" with subsearch

gkanapathy — Wed, 13 Mar 2013 17:30:23 GMT

top limit=1000 or top limit=0, but yes, dedup is better if you don't need the ranking and percentages, since it doesn't have to sort or accumulate the total.