https://community.splunk.com/t5/Splunk-Search/How-do-you-get-around-the-subsearch-limitation-when-defining/m-p/352065#M175161 <P>BTW, using Splunk v6.2.6</P> Mon, 13 Mar 2017 05:34:31 GMT splunk_svc 2017-03-13T05:34:31Z https://community.splunk.com/t5/Splunk-Search/How-do-you-get-around-the-subsearch-limitation-when-defining/m-p/352064#M175160 <P>Hi Splunkers.</P> <P>I am retrieving a field from JSON log file using rex, table and spath.<BR /> Although this runs fine as a standard query, I'm not be able to turn this into an eventtype due to the restriction on subsearches when defining an event type's query.</P> <P>Here's my query:<BR /> index=my_index "lane" |rex "^(?:[^ \n]* ){7}(?P.+)"|table my_data|spath input=my_data | fields lane</P> <P>I am trying to create an event type of "lane" from this but of course cannot due to the subquery limitation.<BR /> I'm sure there is a way around this limitation but I've not been able to find it.<BR /> Don't seem to have found anything similar post on here either.</P> <P>How does one get the output of this into an eventtype??</P> <P>Thanks.</P> Tue, 29 Sep 2020 13:12:39 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-get-around-the-subsearch-limitation-when-defining/m-p/352064#M175160 splunk_svc 2020-09-29T13:12:39Z https://community.splunk.com/t5/Splunk-Search/How-do-you-get-around-the-subsearch-limitation-when-defining/m-p/352065#M175161 <P>BTW, using Splunk v6.2.6</P> Mon, 13 Mar 2017 05:34:31 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-get-around-the-subsearch-limitation-when-defining/m-p/352065#M175161 splunk_svc 2017-03-13T05:34:31Z https://community.splunk.com/t5/Splunk-Search/How-do-you-get-around-the-subsearch-limitation-when-defining/m-p/352066#M175162 <P>The rules for an eventtype actually says</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.5.2/Knowledge/Abouteventtypes">You cannot base an event type on a search that:</A></P> <UL> <LI>Includes a pipe operator after a simple search.</LI> <LI>Includes a subsearch.</LI> </UL> <P>So you will need to remove ALL of the commands after the base search. First, the table and fields commands are adding nothing to your eventtype and can simply be deleted. The field extractions performed by the rex and spath commands should be coded into props.conf for the sourcetype. You will find some information about how to do this if you read the documentation for the <A href="http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Spath">spath</A> and rex commands. Here is another list of references for <A href="http://docs.splunk.com/Splexicon:Fieldextraction">field extraction</A>.</P> <P>Finally, why do you need an eventtype? Perhaps a macro would serve you better, as it does not have these restrictions.</P> Mon, 13 Mar 2017 06:17:32 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-get-around-the-subsearch-limitation-when-defining/m-p/352066#M175162 lguinn2 2017-03-13T06:17:32Z https://community.splunk.com/t5/Splunk-Search/How-do-you-get-around-the-subsearch-limitation-when-defining/m-p/352067#M175163 <P>The problem is the pipes, not eventtypes.</P> Mon, 13 Mar 2017 19:23:38 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-get-around-the-subsearch-limitation-when-defining/m-p/352067#M175163 woodcock 2017-03-13T19:23:38Z https://community.splunk.com/t5/Splunk-Search/How-do-you-get-around-the-subsearch-limitation-when-defining/m-p/352068#M175164 <P>The problem is the pipes, not eventtypes. But let's back up. Why do you think you need an eventtype? What is your overall end goal?</P> Mon, 13 Mar 2017 19:24:08 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-get-around-the-subsearch-limitation-when-defining/m-p/352068#M175164 woodcock 2017-03-13T19:24:08Z