topic Search in square brackets in Splunk Search

Search in square brackets

vanheer — Thu, 02 Nov 2023 11:23:21 GMT

I don't understand how this works, what should replace the square brackets in this situation or what does the search works here?

index=123 sourcetype=grades [|search index=123 sourcetype=grades line=6 AND class=4|return Name]

Can anyone explain this please?

I've tried to make it more simple with one search and get rid of the square brackets, but I always get different results.

Re: Search in square brackets

ITWhisperer — Thu, 02 Nov 2023 11:26:32 GMT

The search in the square brackets (the subsearch) is executed first. The results are then used to filter the main search. For example, if the subsearch returns 3 rows, these will be separate by ORs and the fields returned in each row will be separated by ANDs.

index=123 sourcetype=grades ((line=6 AND class=4 AND index=123 AND _time=<whatever the time of the event is> AND <whatever other fields are in the event>) OR (line=6 AND class=4 AND index=123 AND _time=<whatever the time of the next event is> AND so on))

Re: Search in square brackets

isoutamo — Thu, 02 Nov 2023 11:29:49 GMT

You could evaluate this by running this

index=123 sourcetype=grades line=6 AND class=4 | return Name

If you have events which those values it returns

Name="<value of field Name>"

Then it use that with your outer search

r. Ismo