https://community.splunk.com/t5/Splunk-Search/How-do-you-perform-a-sub-search-over-indexes/m-p/70728#M17715 <P>I've recently split up my data into indexes and some of my searches that make use of sub searches are now breaking.</P> <P>For example I previously did a </P> <PRE><CODE>tag::host=esb* [search TestService | fields + transaction_id] | transaction transaction_id </CODE></PRE> <P>To cater for the index change I did</P> <PRE><CODE>index=test tag::host=esb* [search TestService | fields + transaction_id] | transaction transaction_id </CODE></PRE> <P>No luck, I even stuck an index into the subsearch with no results.</P> <P>What is the correct syntax?</P> <P>Marinus</P> Tue, 06 Sep 2011 08:52:07 GMT Marinus 2011-09-06T08:52:07Z https://community.splunk.com/t5/Splunk-Search/How-do-you-perform-a-sub-search-over-indexes/m-p/70728#M17715 <P>I've recently split up my data into indexes and some of my searches that make use of sub searches are now breaking.</P> <P>For example I previously did a </P> <PRE><CODE>tag::host=esb* [search TestService | fields + transaction_id] | transaction transaction_id </CODE></PRE> <P>To cater for the index change I did</P> <PRE><CODE>index=test tag::host=esb* [search TestService | fields + transaction_id] | transaction transaction_id </CODE></PRE> <P>No luck, I even stuck an index into the subsearch with no results.</P> <P>What is the correct syntax?</P> <P>Marinus</P> Tue, 06 Sep 2011 08:52:07 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-perform-a-sub-search-over-indexes/m-p/70728#M17715 Marinus 2011-09-06T08:52:07Z https://community.splunk.com/t5/Splunk-Search/How-do-you-perform-a-sub-search-over-indexes/m-p/70729#M17716 <P>I assume you want the subsearch to go against the <CODE>test</CODE> index as well. The subsearch runs on its own and returns its results to the outer search, so any search parameters you add to the outer search do not affect the subsearch. Add <CODE>index=test</CODE> in the subsearch instead and have it return what index it's operating on to the outer search so that it uses the same index. Llike this:</P> <PRE><CODE>tag::host=esb* [search index=test TestService | fields transaction_id,index] | transaction transaction_id </CODE></PRE> Tue, 06 Sep 2011 09:07:44 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-perform-a-sub-search-over-indexes/m-p/70729#M17716 Ayn 2011-09-06T09:07:44Z https://community.splunk.com/t5/Splunk-Search/How-do-you-perform-a-sub-search-over-indexes/m-p/70730#M17717 <P>I found a workaround. I'm using the internal index as an example.</P> <PRE><CODE>index=_internal [search index=_internal | head 1000 | fields + user] | transaction user </CODE></PRE> Fri, 09 Sep 2011 13:36:37 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-perform-a-sub-search-over-indexes/m-p/70730#M17717 Marinus 2011-09-09T13:36:37Z