https://community.splunk.com/t5/Splunk-Search/How-to-define-multiple-search-or-subsearch-to-merge-all-relevant/m-p/598262#M208319 <P>Yes, thats the problem... some lines has the number extracted as alert_num, some has not. thats why could not find all of them in whole search.</P><P>the alert_num string is the same, so if it is possible have to two different extract regex for that field, or take that number as a simple string to use it in the outer search.</P> Wed, 18 May 2022 08:44:18 GMT gszabo 2022-05-18T08:44:18Z https://community.splunk.com/t5/Splunk-Search/How-to-define-multiple-search-or-subsearch-to-merge-all-relevant/m-p/598245#M208311 <P><FONT face="arial,helvetica,sans-serif">Hello,</FONT></P> <P><FONT face="arial,helvetica,sans-serif">Help me please. I'd like to define multiple search or subsearch to merge all relevant information about alerts.</FONT></P> <P><FONT face="arial,helvetica,sans-serif">Interesting fields in search are &nbsp;the hosts - as managed_host field and an&nbsp;uniqe alert number.</FONT></P> <P><FONT face="arial,helvetica,sans-serif">I do not need alert about all the hosts, so i sort the relevant ones:&nbsp;</FONT></P> <P><STRONG><FONT face="andale mono,times">index=main ( managed_host="host_A" OR managed_host="host_B" OR managed_host="host_C" ) | dedup alert_num |&nbsp; eval alert=alert_num</FONT></STRONG></P> <P><FONT face="arial,helvetica,sans-serif">Thats simple, will show the relevant alert numbers. After that i need to simple search the selected alerts to get ALL the logs ( some of them doesn't contain managed_host filed, so will not appear at first search.)</FONT></P> <P><STRONG><FONT face="andale mono,times">Index=main alert_num=$alert$</FONT></STRONG></P> <P><FONT face="andale mono,times">How could be merged this two search in one to generate an alert that will contain all relevant information?</FONT></P> <P><FONT face="andale mono,times">Thanks,</FONT></P> <P><FONT face="andale mono,times">Gabor</FONT></P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 18 May 2022 16:29:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-define-multiple-search-or-subsearch-to-merge-all-relevant/m-p/598245#M208311 gszabo 2022-05-18T16:29:07Z https://community.splunk.com/t5/Splunk-Search/How-to-define-multiple-search-or-subsearch-to-merge-all-relevant/m-p/598250#M208312 <P>Try something like this</P><LI-CODE lang="markup">index=main [search index=main ( managed_host="host_A" OR managed_host="host_B" OR managed_host="host_C" ) | dedup alert_num | fields alert_num | format]</LI-CODE> Wed, 18 May 2022 07:26:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-define-multiple-search-or-subsearch-to-merge-all-relevant/m-p/598250#M208312 ITWhisperer 2022-05-18T07:26:16Z https://community.splunk.com/t5/Splunk-Search/How-to-define-multiple-search-or-subsearch-to-merge-all-relevant/m-p/598252#M208314 <P>Thanks for the reply.</P><P>Almost good. the subseach returns the relevant alert numbers, thats okay.&nbsp;</P><P>alert_num search</P><TABLE><TBODY><TR><TD>1</TD><TD>&nbsp;</TD><TD><P>( ( alert_num="484316" ) OR ( alert_num="484263" ) OR ( alert_num="484243" ) )</P></TD></TR></TBODY></TABLE><P>&nbsp;</P><P>But the whole query do not shows all the relevant logs with the selected alert numbers, just ones what contains the managed_host field.</P><P>&nbsp;</P> Wed, 18 May 2022 08:01:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-define-multiple-search-or-subsearch-to-merge-all-relevant/m-p/598252#M208314 gszabo 2022-05-18T08:01:18Z https://community.splunk.com/t5/Splunk-Search/How-to-define-multiple-search-or-subsearch-to-merge-all-relevant/m-p/598256#M208316 <P>The subsearch is just returning alert numbers not managed_host values so the outer search should be searching the whole index for events with these alert_num values.</P><P>Has the alert_num field been extracted on the non-managed_hosts?</P><P>Can you pick a returned alert number and try just searching you main index with that value to see what you get?</P> Wed, 18 May 2022 08:18:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-define-multiple-search-or-subsearch-to-merge-all-relevant/m-p/598256#M208316 ITWhisperer 2022-05-18T08:18:57Z https://community.splunk.com/t5/Splunk-Search/How-to-define-multiple-search-or-subsearch-to-merge-all-relevant/m-p/598262#M208319 <P>Yes, thats the problem... some lines has the number extracted as alert_num, some has not. thats why could not find all of them in whole search.</P><P>the alert_num string is the same, so if it is possible have to two different extract regex for that field, or take that number as a simple string to use it in the outer search.</P> Wed, 18 May 2022 08:44:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-define-multiple-search-or-subsearch-to-merge-all-relevant/m-p/598262#M208319 gszabo 2022-05-18T08:44:18Z https://community.splunk.com/t5/Splunk-Search/How-to-define-multiple-search-or-subsearch-to-merge-all-relevant/m-p/598268#M208321 <P>Try this</P><LI-CODE lang="markup">index=main [search index=main ( managed_host="host_A" OR managed_host="host_B" OR managed_host="host_C" ) | dedup alert_num | fields alert_num | rename alert_num as query | format]</LI-CODE> Wed, 18 May 2022 08:56:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-define-multiple-search-or-subsearch-to-merge-all-relevant/m-p/598268#M208321 ITWhisperer 2022-05-18T08:56:11Z https://community.splunk.com/t5/Splunk-Search/How-to-define-multiple-search-or-subsearch-to-merge-all-relevant/m-p/598271#M208323 <P>Yes, thats works now. Arbor logs without any structure... i love it.</P><P>Thank you very much!</P><P>&nbsp;</P> Wed, 18 May 2022 09:02:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-define-multiple-search-or-subsearch-to-merge-all-relevant/m-p/598271#M208323 gszabo 2022-05-18T09:02:45Z