https://community.splunk.com/t5/Splunk-Search/Subsearches-and-custom-fields/m-p/61599#M15209 <P>What happens when you put a "format" in the subsearch? Like does this work:</P> <PRE><CODE>index=main [search index="main" *CONNECTION | top UUID limit=1 | fields UUID | format ] </CODE></PRE> <P>I've found times where my subsearch will not work without tacking on a <CODE>| format</CODE> on the end, I'm not sure why, and it doesn't seem like you should have to. Perhaps someone more familiar with subsearches help explain when you need format and when you do not.</P> <P></P><HR /><P></P> <P>Another thing to look into is using the "Job Inspector" and looking at the "remoteSearch" value. You should see "litsearch" followed by the expanded form of your search. You may find something interesting going on here that could explain why your subsearch isn't working properly.</P> Fri, 01 Oct 2010 21:54:48 GMT Lowell 2010-10-01T21:54:48Z https://community.splunk.com/t5/Splunk-Search/Subsearches-and-custom-fields/m-p/61598#M15208 <P>I could be doing something wrong, but I can't seem to get subsearches to behave like I expect. I can get something like the documentation (HowSubsearchesWork) example to work, but anything more complicated seems to fail.</P> <P>This query:</P> <PRE><CODE>index="main" *CONNECTION | top host limit=1 | fields host </CODE></PRE> <P>shows the host with the most CONNECTION log entries.</P> <P>As expected, this query:</P> <PRE><CODE>* [search index="main" *CONNECTION | top host limit=1 | fields host] </CODE></PRE> <P>shows all log messages from the host that has the most connection logs. When I try using a different fields, however, the behavior changes.</P> <P>For example, this query shows the most frequent UUIDs (a custom field):</P> <PRE><CODE>index="main" *CONNECTION | top UUID limit=1 | fields UUID </CODE></PRE> <P>The following all return "No matching events found.":</P> <PRE><CODE>* [search index="main" *CONNECTION | top UUID limit=1 | fields UUID] * [search index="main" *CONNECTION | top UUID limit=1 | fields UUID | rename UUID as query] * [search index="main" *CONNECTION | top UUID limit=1 | fields UUID | rename UUID as search] </CODE></PRE> <P>Pasting the output from either of</P> <PRE><CODE>index="main" *CONNECTION | top UUID limit=1 | fields UUID | format index="main" *CONNECTION | top UUID limit=1 | fields UUID | rename UUID as search | format </CODE></PRE> <P>into a new splunk search produces the expected results.</P> <P>Could this be a syntax or configuration issue, or do I not understand how subsearches work? We're on 4.1.3; could this be related to SPL-32669 ?</P> <P>thanks in advance,</P> <P>rick</P> Fri, 01 Oct 2010 04:41:07 GMT https://community.splunk.com/t5/Splunk-Search/Subsearches-and-custom-fields/m-p/61598#M15208 rickschultz 2010-10-01T04:41:07Z https://community.splunk.com/t5/Splunk-Search/Subsearches-and-custom-fields/m-p/61599#M15209 <P>What happens when you put a "format" in the subsearch? Like does this work:</P> <PRE><CODE>index=main [search index="main" *CONNECTION | top UUID limit=1 | fields UUID | format ] </CODE></PRE> <P>I've found times where my subsearch will not work without tacking on a <CODE>| format</CODE> on the end, I'm not sure why, and it doesn't seem like you should have to. Perhaps someone more familiar with subsearches help explain when you need format and when you do not.</P> <P></P><HR /><P></P> <P>Another thing to look into is using the "Job Inspector" and looking at the "remoteSearch" value. You should see "litsearch" followed by the expanded form of your search. You may find something interesting going on here that could explain why your subsearch isn't working properly.</P> Fri, 01 Oct 2010 21:54:48 GMT https://community.splunk.com/t5/Splunk-Search/Subsearches-and-custom-fields/m-p/61599#M15209 Lowell 2010-10-01T21:54:48Z https://community.splunk.com/t5/Splunk-Search/Subsearches-and-custom-fields/m-p/61600#M15210 <P>index=main [search index="main" *CONNECTION | top UUID limit=1 | fields UUID | format ]</P> <P>also yields "No matching events found."</P> Tue, 05 Oct 2010 01:01:59 GMT https://community.splunk.com/t5/Splunk-Search/Subsearches-and-custom-fields/m-p/61600#M15210 rickschultz 2010-10-05T01:01:59Z https://community.splunk.com/t5/Splunk-Search/Subsearches-and-custom-fields/m-p/61601#M15211 <P>Search Job Inspector shows the following, though I'm not sure how to interpret it:</P> <P>remoteSearch | fields keepcolorder=t * "*" "host" "index" "source" "sourcetype" "splunk_server"</P> Sat, 09 Oct 2010 04:12:21 GMT https://community.splunk.com/t5/Splunk-Search/Subsearches-and-custom-fields/m-p/61601#M15211 rickschultz 2010-10-09T04:12:21Z