topic Re: How to create alternative for subsearch in Splunk Search

How to create alternative for subsearch?

Mike6960 — Tue, 13 Dec 2022 15:15:44 GMT

I have a search with a subsearch. I run into the limitations of the maximum results (50.000)

Now Ia m trying to figure out to rebuild my search but I am stuck. Can anyone guide to the right direction?

My search now :

<> index=TEST
| search logger="success - Metadata:*"
[ search index=TEST
| search logger="Response: OK]"
| fields message.messageId]
| stats dc(message.messageId)</>

Re: How to create alternative for subsearch

gcusello — Tue, 13 Dec 2022 12:17:04 GMT

Hi @Mike6960,

at first use the search command after the main search only if you have some trasformation in the middle to use in the secondary search so you can have quicker searches.

then you have to find some value to identify differences.

If I correctly understood, you have to filter the results of the main search with the ones of the secondaryand you want only the message.messageId where there are both the logger values, is it correct?

in this case you could run something like this:

index=TEST (logger="success - Metadata:*" OR logger="Response: OK") | eval kind=if(logger="Response: OK",logger="Response: OK","success - Metadata") | stats dc(kind) AS kind_count values(logger) AS logger BY message.messageId | where kind_count=2

please see my approach and adapt it to your need.

Ciao.

Giuseppe

Re: How to create alternative for subsearch

Mike6960 — Tue, 13 Dec 2022 12:40:52 GMT

Hi @gcusello , I tried yor suggestion but I get the error:

Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]).

My example search was simplified for several reasons, is there a chance I use illegal characters or something?

Re: How to create alternative for subsearch

gcusello — Tue, 13 Dec 2022 13:11:58 GMT

Hi @Mike6960,

sorry miscopy error:

index=TEST (logger="success - Metadata:*" OR logger="Response: OK") | eval kind=if(logger="Response: OK","Response: OK","success - Metadata") | stats dc(kind) AS kind_count values(logger) AS logger BY message.messageId | where kind_count=2

Ciao.

Giuseppe

Re: How to create alternative for subsearch

Mike6960 — Tue, 13 Dec 2022 13:39:37 GMT

@gcusello , thanks the error is now gone. But I get no results which is strange. I am gonna try to look what is causing this.

Maybe I should use 'transaction' because there are multiple kind of values for the logger not just the two

I need the events that are in both

Re: How to create alternative for subsearch

Mike6960 — Tue, 13 Dec 2022 14:56:05 GMT

@gcusello I think its because of the asterix I use in the logger. I read that this is not supported in the evalfunction....

Re: How to create alternative for subsearch

gcusello — Tue, 13 Dec 2022 15:48:46 GMT

Hi @Mike6960,

maybe the problem is the field message.messageId, rename it or use quotes:

index=TEST (logger="success - Metadata:*" OR logger="Response: OK") | rename message.messageId AS messageId | eval kind=if(logger="Response: OK","Response: OK","success - Metadata") | stats dc(kind) AS kind_count values(logger) AS logger BY messageId | where kind_count=2

Ciao.

Giuseppe