topic Re: How to use subsearch without a field name? (but just with field value for more than one fileld) in Splunk Search

How to use subsearch without a field name? (but just with field value for more than one fileld)

thanchen — Wed, 07 Jun 2023 08:03:53 GMT

Here is the document, but how?

https://docs.splunk.com/Documentation/Splunk/8.2.6/Search/Changetheformatofsubsearchresults

Using the query field name Use the query field name when you want the values in the fields returned from the subsearch, but not the field names. The query field name is similarly to using the format command. Instead of passing the field and value pairs to the main search, such as: (field1=val1_1 AND field2=val1_2) OR (field1=val2_1 AND field2=val2_2) Using the query field name passes only the values: (val1_1 AND val1_2) OR (val2_1 AND val2_2)

When rename one fields as query, got `remoteSearch premakeresults 1 ( ( field2="val1_2" AND val1_1 ) )` in inspect job log's remoteSearch.
What I want is `remoteSearch premakeresults 1 ( ( "val1_2" AND val1_1 ) )`

Below post only rename one field as query.
https://community.splunk.com/t5/Splunk-Search/How-to-use-subsearch-without-a-field-name-but-just-with-field/m-p/449282

@woodcock sorry to bother you, seeing a lot of high quality answers from you, seeking your help here.

Re: How to use subsearch without a field name? (but just with field value for more than one fileld)

gcusello — Wed, 07 Jun 2023 08:12:11 GMT

Hi @thanchen ,

you can pass a value from a subsearch without specifying the field name renaming the field as "query", in this way you perform a full text search on the main search events, some thing like this:

<your_main_search> [ search <your_secondary_search> | rename field1 AS query | fields query ] ...

Ciao.

Giuseppe

Re: How to use subsearch without a field name? (but just with field value for more than one fileld)

isoutamo — Wed, 07 Jun 2023 08:41:28 GMT

there are couple of ways to test it, but probably easiest way to test it is

index=_audit [| makeresults | eval query="val1_1 AND val1_1" | table query]

Another way is use search instead of query as field name.

Here is one recent post how to do this https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-use-format-to-get/m-p/645818/highlight/true#M223599

r. Ismo

Re: How to use subsearch without a field name? (but just with field value for more than one fileld)

thanchen — Wed, 07 Jun 2023 08:50:22 GMT

Hi Giuseppe, I tried this, it only gives me `premakeresults 1 ( ( val1_1 ) )`
I need `premakeresults 1 ( ( val1_1 AND val1_2 ) )`

Re: How to use subsearch without a field name? (but just with field value for more than one fileld)

gcusello — Wed, 07 Jun 2023 09:00:25 GMT

Hi @thanchen,

it's not clear for me where you take val1 and val2, anyway, you can use the subsearch two times:

<your_main_search> ([ search <your_secondary_search> | rename field1 AS query | fields query ] OR [ search <your_secondary_search> | rename field2 AS query | fields query ]) ...

Ciao.

Giuseppe

Re: How to use subsearch without a field name? (but just with field value for more than one fileld)

thanchen — Wed, 07 Jun 2023 09:20:50 GMT

My example in only a Minimal, Reproducible Example
val1 and val2 comes from two fields field1 and field2
Use the subsearch two times should be a workaround, but if I want three or more, I believe there should be a solution.

And I tried `| rex mode=sed field=search "s/(field1|field2)=//g"` at the end of subsearch, no luck.

Re: How to use subsearch without a field name? (but just with field value for more than one fileld)

isoutamo — Wed, 07 Jun 2023 09:25:58 GMT

Have you try something like

<your_main_search> [ search <your_secondary_search> | eval search=field1 . " AND " . field2 | table search ]

Re: How to use subsearch without a field name? (but just with field value for more than one fileld)

thanchen — Wed, 07 Jun 2023 09:42:16 GMT

Thanks @isoutamo , this one works, but only work for one row output in subsearch

but in real world, we may need more than one row results in subseach, just like the official document shows:

(val1_1 AND val1_2) OR (val2_1 AND val2_2)

https://docs.splunk.com/Documentation/Splunk/8.2.6/Search/Changetheformatofsubsearchresults

cc: @gcusello

Re: How to use subsearch without a field name? (but just with field value for more than one fileld)

thanchen — Wed, 07 Jun 2023 10:11:23 GMT

Looks by doing below, it could cover the case that have multi rows results in subsearch.

<your_main_search> [ search <your_secondary_search> | eval search="(\"" + field1 + "\" AND \"" + field2 + "\")" | stats values(search) AS searches | eval search=mvjoin(searches, " OR ") | fields search ]

Re: How to use subsearch without a field name? (but just with field value for more than one fileld)

thanchen — Wed, 07 Jun 2023 10:27:53 GMT

The answer is already in the link, sorry I didn't read it carefully at the begining, the discusstion with Giuseppe lead to the same solution.

<your_main_search> 
  [ search <your_secondary_search>
| eval search="(\"" + field1 + "\" AND \"" + field2 + "\")" 

| stats
    values(search) AS searches 
| eval search=mvjoin(searches, " OR ")

| fields search
]

Re: How to use subsearch without a field name? (but just with field value for more than one fileld)

gcusello — Wed, 07 Jun 2023 10:32:20 GMT

Hi @thanchen ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉