topic Re: Why am I getting error "Unknown search command 'sourcetype'" using a subsearch in a where command? in Splunk Search

Why am I getting error "Unknown search command 'sourcetype'" using a subsearch in a where command?

maximus_reborn — Mon, 23 May 2016 09:04:53 GMT

I want to do something like the below command but it is giving me an error.

sourcetype=SplunkKafka_messaging | spath input=msg_body | where passenger_count > [sourcetype=SplunkRabbitMQ_messaging | spath input=msg_body | stats avg(passenger_count)]

Error:

Unknown search command 'sourcetype'.

Can anyone let me know how to achieve the objective? My aim is to extract the events where passenger_count is greater then the average of that column.

This will happen in real time.

Re: Why am I getting error "Unknown search command 'sourcetype'" using a subsearch in a where command?

NOUMSSI — Mon, 23 May 2016 10:03:58 GMT

Hi try this:

sourcetype=SplunkKafka_messaging | spath input=msg_body | where passenger_count > [search sourcetype=SplunkRabbitMQ_messaging | spath input=msg_body | stats avg(passenger_count)]

Re: Why am I getting error "Unknown search command 'sourcetype'" using a subsearch in a where command?

NOUMSSI — Mon, 23 May 2016 12:03:03 GMT

Dont forget to accept my answer if you were satisfied

Re: Why am I getting error "Unknown search command 'sourcetype'" using a subsearch in a where command?

maximus_reborn — Tue, 29 Sep 2020 09:45:18 GMT

I am getting 2 errors:
1. Error reading runtime settings: File :/usr/local/splunk/var/run/splunk/dispatch/subsearch_1464015531.154_1464015531.1/runtime.csv does not exist
2. ERROR dispatchRunner - RunDispatch::runDispatchThread threw error: Error in 'where' command: Typechecking failed. The '>' operator received different types

Re: Why am I getting error "Unknown search command 'sourcetype'" using a subsearch in a where command?

somesoni2 — Mon, 23 May 2016 15:48:54 GMT

Try this

sourcetype=SplunkKafka_messaging | spath input=msg_body | where passenger_count > [search sourcetype=SplunkRabbitMQ_messaging | spath input=msg_body | stats avg(passenger_count) as avg | return $avg]

sourcetype=SplunkKafka_messaging | spath input=msg_body | where passenger_count > [search sourcetype=SplunkRabbitMQ_messaging | spath input=msg_body | stats avg(passenger_count) as query]

Re: Why am I getting error "Unknown search command 'sourcetype'" using a subsearch in a where command?

maximus_reborn — Mon, 23 May 2016 15:59:26 GMT

Thanks! It did work.

Re: Why am I getting error "Unknown search command 'sourcetype'" using a subsearch in a where command?

philippiq — Fri, 26 May 2017 15:40:14 GMT

try to insert 'search' before sourcetype