topic Re: Use subsearch result as fulltext search in outer search in Splunk Search https://community.splunk.com/t5/Splunk-Search/Use-subsearch-result-as-fulltext-search-in-outer-search/m-p/112569#M29573 <P>Further testing is also strange:</P> <PRE><CODE>|noop | stats count | eval _raw="*972*" | fields _raw | format |noop | stats count | eval raw="*972*" | fields raw | format | replace "*raw*" with "*_raw*" </CODE></PRE> <P>These should both create a field called <CODE>search</CODE> with value <CODE>( ( _raw="*972*" ) )</CODE> but they don't.</P> Fri, 10 Jul 2015 15:47:43 GMT woodcock 2015-07-10T15:47:43Z Use subsearch result as fulltext search in outer search https://community.splunk.com/t5/Splunk-Search/Use-subsearch-result-as-fulltext-search-in-outer-search/m-p/112567#M29571 <P>Is it possible to use the result value of a subsearch as a fulltext (or wildcard) search in the outer search. I have a subsearch like this:</P> <PRE><CODE>servertype=abc "some search terms" |&nbsp;fields correlation_id </CODE></PRE> <P>and now I want to use the resulting correlation ids to find other entries, but these entries do not have a dedicated correlation_id field, it is just somewhere inside the text, so this is not working</P> <PRE><CODE>servertype=xyz "some other seach terms" [search servertype=abc "some search key" |&nbsp;fields correlation_id] </CODE></PRE> <P>because splunk is searching for a correlation_id field, which does not exist.</P> <P>This is a very simplified example, but I hope you get my problem.</P> Fri, 10 Jul 2015 07:22:18 GMT https://community.splunk.com/t5/Splunk-Search/Use-subsearch-result-as-fulltext-search-in-outer-search/m-p/112567#M29571 woezelmann 2015-07-10T07:22:18Z Re: Use subsearch result as fulltext search in outer search https://community.splunk.com/t5/Splunk-Search/Use-subsearch-result-as-fulltext-search-in-outer-search/m-p/112568#M29572 <P>This should work (but performance will be slow)</P> <PRE><CODE>[servertype=abc "some search terms" | eval _raw = "*" . correlation_id . "*" | fields _raw] </CODE></PRE> <P>But for some reason it does not and I don't know why!</P> Fri, 10 Jul 2015 13:50:46 GMT https://community.splunk.com/t5/Splunk-Search/Use-subsearch-result-as-fulltext-search-in-outer-search/m-p/112568#M29572 woodcock 2015-07-10T13:50:46Z Re: Use subsearch result as fulltext search in outer search https://community.splunk.com/t5/Splunk-Search/Use-subsearch-result-as-fulltext-search-in-outer-search/m-p/112569#M29573 <P>Further testing is also strange:</P> <PRE><CODE>|noop | stats count | eval _raw="*972*" | fields _raw | format |noop | stats count | eval raw="*972*" | fields raw | format | replace "*raw*" with "*_raw*" </CODE></PRE> <P>These should both create a field called <CODE>search</CODE> with value <CODE>( ( _raw="*972*" ) )</CODE> but they don't.</P> Fri, 10 Jul 2015 15:47:43 GMT https://community.splunk.com/t5/Splunk-Search/Use-subsearch-result-as-fulltext-search-in-outer-search/m-p/112569#M29573 woodcock 2015-07-10T15:47:43Z Re: Use subsearch result as fulltext search in outer search https://community.splunk.com/t5/Splunk-Search/Use-subsearch-result-as-fulltext-search-in-outer-search/m-p/112570#M29574 <P>OK, this is funky but it works:</P> <PRE><CODE> ... | eval raw=_raw | search [search servertype=abc "some search terms" | eval raw= "*" . correlation_id . "*" | fields raw] </CODE></PRE> Fri, 10 Jul 2015 20:06:50 GMT https://community.splunk.com/t5/Splunk-Search/Use-subsearch-result-as-fulltext-search-in-outer-search/m-p/112570#M29574 woodcock 2015-07-10T20:06:50Z Re: Use subsearch result as fulltext search in outer search https://community.splunk.com/t5/Splunk-Search/Use-subsearch-result-as-fulltext-search-in-outer-search/m-p/112571#M29575 <P>Great, now it works. Thank you very much!</P> Mon, 13 Jul 2015 15:38:27 GMT https://community.splunk.com/t5/Splunk-Search/Use-subsearch-result-as-fulltext-search-in-outer-search/m-p/112571#M29575 woezelmann 2015-07-13T15:38:27Z Re: Use subsearch result as fulltext search in outer search https://community.splunk.com/t5/Splunk-Search/Use-subsearch-result-as-fulltext-search-in-outer-search/m-p/112572#M29576 <P>Use this: </P> <P>servertype=xyz "some other seach terms" [search servertype=abc "some search key" | fields correlation_id | <STRONG><EM>rename correlation_id as search</EM></STRONG>]</P> <P>as stated here:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Search/Changetheformatofsubsearchresults" target="_blank">http://docs.splunk.com/Documentation/Splunk/latest/Search/Changetheformatofsubsearchresults</A></P> Tue, 29 Sep 2020 09:07:29 GMT https://community.splunk.com/t5/Splunk-Search/Use-subsearch-result-as-fulltext-search-in-outer-search/m-p/112572#M29576 marcoscala 2020-09-29T09:07:29Z Re: Use subsearch result as fulltext search in outer search https://community.splunk.com/t5/Splunk-Search/Use-subsearch-result-as-fulltext-search-in-outer-search/m-p/112573#M29577 <P>I had to use ..... | rename correlation_id as <STRONG>query</STRONG>]</P> Fri, 27 Jul 2018 13:11:09 GMT https://community.splunk.com/t5/Splunk-Search/Use-subsearch-result-as-fulltext-search-in-outer-search/m-p/112573#M29577 606866581 2018-07-27T13:11:09Z