Question on subsearch as query filter

radu_marian · ‎02-10-2017

Hi guys,

I'm running a query like:
index=my_index [search index=my_index abcd|table x] |table y

This works out well, but in the job details i see the following message multiple times:
INFO StringSearchExpander - calculated_field="x" not expanded in comparison_expression="x="blahblah"". calc_field_processor!=null, negated=false (negation depth=0)

Can anyone explain what it means and if it impacts the output of my query?

Thanks.

ehudb · ‎02-10-2017

The best approach for subsearch filter is to use the return function:
|return 100 x -> return one field named "search" with first 100 values in one row, field name included:
"x=value1 OR x=value2 OR x=value3"
|return 100 $x -> return one field named "search" with first 100 values in one row, no field name included:
"value1 OR value2 OR value3"

index=my_index [search index=my_index abcd|table x|return 100 x] |table y

index=my_index [search index=my_index abcd|table x|return 100 $x] |table

rjthibod · ‎02-10-2017

I cannot tell you what that message means, but I suggest you try editing the subsearch a little bit and see if the results changes or that message goes away.

index=my_index [search index=my_index abcd|stats count by x | fields x] |table y

Question on subsearch as query filter

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms