topic Re: Use the result from the subsearch to a main search in Splunk Search

Use the result from the subsearch to a main search

thenormalone — Tue, 29 Jun 2021 19:38:41 GMT

In one of the search strings, I have an event from which i extract the correlation ids and in turn want to search through there correlation ids to get an event which has a text in from of the correlation id (eg: abc: <correlation_Id>.

when I try

index=ind1 [search sttring 1 | table correlationId], the log which has the string of "abc: <correlation_Id>" is not coming back. But if i search for one of the correlationIds from the table I get that event.

I'm not sure what I'm doing wrong here. That event I'm trying to get has a string "abc" in front and I feel like that's causing the results to not come back.

Re: Use the result from the subsearch to a main search

swong_splunk — Tue, 29 Jun 2021 19:50:34 GMT

Try adding the | format command in the subsearch

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/FORMAT

This command takes the results of a subsearch, formats the results into a single result and places that result into a new field called search.

index=ind1
[search sttring 1
| table correlationId
| format]

Re: Use the result from the subsearch to a main search

thenormalone — Tue, 29 Jun 2021 20:16:42 GMT

well if I'm not mistaken that gives me

index=ind1 "correlation-id=<correlation_Id>"

so it still isn't giving me that event which has the format "abc: <correlation_Id>"

Re: Use the result from the subsearch to a main search

isoutamo — Tue, 29 Jun 2021 20:45:03 GMT

You should add rename correlation_id as search into sub search e.g. https://community.splunk.com/t5/Splunk-Search/Can-a-subsearch-return-only-the-value-without-the-fieldname/m-p/11212

Also it’s more efficient to replace table with fields as then this search will run on indexers instead of search head.

r. Ismo