topic Re: pass a subsearch result to the head command in Splunk Search

pass a subsearch result to the head command

proylea — Wed, 16 Dec 2015 01:36:29 GMT

I am trying to pass the numeric result of a subsearch to the head command with no success, can anyone see what I am doing wrong?

The following query returns a count of 3

index=starx error | fieldformat count=count/2 | stats count

I want to use that query as a subsearch result for the head command like this

index=starx error | head [ search index=starx error | fieldformat count=count/2 | stats count ]

But get no result found

Re: pass a subsearch result to the head command

MuS — Wed, 16 Dec 2015 02:13:44 GMT

Hi proylea,

if you want to pass a value to the head command you must return only a value form the subsearch, but you're currently returning count=somenumber. Do get back only a value from the subsearch run this run everywhere search

  index=_internal error | head [ search index=_internal error | stats count | rename count AS search ]

This will rename the count field to a search field, which will just come back as a value. This way head can use it.

Hope this helps ...

cheers, MuS

Re: pass a subsearch result to the head command

proylea — Wed, 16 Dec 2015 02:53:55 GMT

Hi MuS
With your query both the base search and the subsearch returns the same count, hence the head value returned is not divided by 2.

Regards
Peter

Re: pass a subsearch result to the head command

MuS — Wed, 16 Dec 2015 03:06:20 GMT

Sorry my bad, ignore the second example. Look at the provided first example and tweak it to your needs.

Re: pass a subsearch result to the head command

proylea — Wed, 16 Dec 2015 03:11:32 GMT

Cheers, I still can't work out how to divide the count by 2 to return the result?

Re: pass a subsearch result to the head command

proylea — Wed, 16 Dec 2015 03:25:56 GMT

Finally got it!

index=starx error | head [ search index=starx error | stats count | eval total=round(count/2) | rename total AS search ]

Re: pass a subsearch result to the head command

proylea — Wed, 16 Dec 2015 03:26:47 GMT

Thanks for your help MuS with the rename AS search

Re: pass a subsearch result to the head command

jplumsdaine22 — Wed, 16 Dec 2015 12:44:45 GMT

If you want to avoid using a subsearch altogether you could do something like this:

index=starx error | streamstats count as total_results | eventstats p50(count) as average | eval keep=count-average | search keep>0

This avoids any limitations in the subsearch if your index is very large, and saves you from running the index=starx search twice.