topic Re: How do I assign an extracted field from a subsearch to be the source in an outer search? in Splunk Search

How do I assign an extracted field from a subsearch to be the source in an outer search?

pmaitra — Fri, 18 Nov 2016 19:48:29 GMT

I have a search from which I extracted field A. In the second search, how do I assign A to be the source of the second search?

For example :
I am using the below query:

index=something  host=somevalue source=something/something/something/something/A    B  [search eventtype=somevalue | table A | dedup A | fields + A] | table B

From the above query what I am expecting is :

My subsearch will return field A.
My outer search will use field A as a source in which I will get result B .

Please help me out with this.

Thanks in advance.

Re: How do I assign an extracted field from a subsearch to be the source in an outer search?

sundareshr — Fri, 18 Nov 2016 20:23:00 GMT

Try this

*UPDATED*

index=something  host=somevalue  [search eventtype=somevalue | table A | dedup A | eval A="x/x/x/x/".A | rename A as source ] | table B

Re: How do I assign an extracted field from a subsearch to be the source in an outer search?

gokadroid — Sat, 19 Nov 2016 06:15:30 GMT

If you want to search the values stored in field A from internal search as strings in your outer search and then tabulate the field B in outer search then give this a try please (Notice I have removed plain B from this search in outer search:

index=something host=something source=x/x/x/A  
[search index=something host=something source=y/y/y/y | table A | dedup A | return 10000 $A ] 
| table B

Here both A and B are field names. In your comment's example, searching for a field B just by placing the field name B in outer search won't help which I quote below:

index=something host=something source = x/x/x/A B [search index=something host=something source=y/y/y/y | table A | dedup A | fields + A ] | table B

It should be B=something in the outer search of your comment.

Re: How do I assign an extracted field from a subsearch to be the source in an outer search?

pmaitra — Sun, 20 Nov 2016 04:14:42 GMT

Hey Sundareshr thanks!

I used your updated query and got exactly what I want the source to be in my outer query. But unfortunately it is still resulting in 0 events. Please help if you have any other way out!

Re: How do I assign an extracted field from a subsearch to be the source in an outer search?

pmaitra — Sun, 20 Nov 2016 07:04:51 GMT

Thank you very much for showing me the correct path. The only change I did is I added fields + A and then renamed A as source as suggested by you and it worked magically . Thank you very very much.

Re: How do I assign an extracted field from a subsearch to be the source in an outer search?

niketn — Sun, 20 Nov 2016 10:52:23 GMT

Do you expect single value for field A or multiple?