topic Re: How to check a certain (not _raw) field value matches a value returned by a subsearch? in Splunk Search

How to check a certain (not _raw) field value matches a value returned by a subsearch?

manus — Mon, 04 Aug 2014 16:08:38 GMT

By default, when we append a subsearch to a search, it looks for events which _raw field value matches one of the value returned by the subsearch.

Is there a way to check that a certain field value (not _raw like above) matches one of the values returned by the subsearch?

I tried the below, by appending host= to my subsearch results, to force searching on the field host, and nothing else, but it didn't work.

mysearch [mysubsearch|fields host|eval host="host=".host]

Re: How to check a certain (not _raw) field value matches a value returned by a subsearch?

somesoni2 — Mon, 04 Aug 2014 16:20:47 GMT

Try something like this

mysearch [mysubsearch|fields host|eval host="host=".host | return $$host]

OR 

mysearch [mysubsearch|fields host|eval search="host=".host | table search]

Updated

mysearch [mysubsearch|table host | format ]

Re: How to check a certain (not _raw) field value matches a value returned by a subsearch?

manus — Mon, 04 Aug 2014 17:13:15 GMT

None of these solutions work.
No clue what the first one does, plenty of events from wrong hosts are returned in the end.

The second one is very close to my first attempt, but like it, doesn't work. The subsearch produces the output anticipated, but the main one is missing the events from many hosts which should have been included.

Re: How to check a certain (not _raw) field value matches a value returned by a subsearch?

manus — Mon, 04 Aug 2014 17:17:42 GMT

I found a solution... which seems unefficient, but works:
mysearch |join host [mysubsearch|fields host]

Re: How to check a certain (not _raw) field value matches a value returned by a subsearch?

manus — Mon, 04 Aug 2014 17:19:38 GMT

But thanks for help!

Re: How to check a certain (not _raw) field value matches a value returned by a subsearch?

somesoni2 — Mon, 04 Aug 2014 17:22:49 GMT

I might overlooked the scenario where there will be multiple hosts. You can give the updated answer a try (will be faster than join)

Re: How to check a certain (not _raw) field value matches a value returned by a subsearch?

gkanapathy — Mon, 04 Aug 2014 20:48:16 GMT

Either

mysearch [ mysubsearch | return 10000 host ]

or in this particular case:

mysearch [ mysubsearch | fields host ]

are the shortest and simplest. You don't need table or field with return. You don't need format because it's implicitly done at the end of a subsearch. You use 10,000 to set the max number of values to be considered. (The default is 1, only the first host will be considered.) In your original question, you didn't mention that you might have mutiple values.