topic Re: Searching over list from subsearch in Splunk Search

Searching over list from subsearch

adam_reber — Fri, 02 Oct 2015 13:07:53 GMT

I don't seem to be able to wrap my head around this search. I have a set of data that uses a unique ID to tie a chain of actions together across multiple events. I want to search through the index, find the IDs from all of the events that match match_criteria1, then return any event in the index that has one of those IDs.

name   ID   other field
------ ---  ----------------
event1  A   match_criteria1
event2  B   match_criteria1
event3  C   match_criteria1
event4  A   something
event5  B   something
event6  D   something else
event7  E   other data
event8  E   other data 2

Should return:

name   ID   other field
------ ---  ----------------
event1  A   match_criteria1
event2  B   match_criteria1
event3  C   match_criteria1
event4  A   something
event5  B   something

Any ideas?

Re: Searching over list from subsearch

somesoni2 — Fri, 02 Oct 2015 13:58:50 GMT

Try something like this

index=Blah sourcetype=blah [search index=Blah sourcetype=blahh other_field=match_criteria1 | stats count by ID | table ID ] | table name ID other_field

Re: Searching over list from subsearch

adam_reber — Fri, 02 Oct 2015 14:11:21 GMT

Hmm.. that's exactly what I've seen examples of and tried, but it isn't returning any results. I need to do an eval on the criteria field, perhaps that is messing it up.

If you append a search like that, which is generating a single column table, is it equivalent to
"field=a OR field=b OR field=c"?
- OR -
"a OR b OR c"

Re: Searching over list from subsearch

somesoni2 — Fri, 02 Oct 2015 14:38:02 GMT

Yes The Subsearch with generate the OR condition like that..
Could you share the query that you tried (and failed), we can see any possible issues with that?