Solved: Subsearch: How to create a search which returns mu...

madhukar3us · ‎06-28-2022

Hi,

I have a search query which returns multiple values. For example, the search query returns abc, def, ghi.

I need to take this as input and i need to perform a search of these values. The logs contains the abc-123-678, def-678+943 , ghi-678-123 and i need to search the events that contains these strings.

Any suggestions?

gcusello · ‎06-28-2022

Hi @madhukar3us ,

if you need to use the result of a subquery to search as text in the main search, you have to follow this approach

supposing that the field in the subsearch containing the values to search is "my_field"

your_main_search [ search your_secondary_search  rename my_field AS query | fields query ]

Ciao.

Giuseppe

View solution in original post

marysan · ‎06-28-2022

Hi
I suppose that you need join command for example :
index=index1 abc=123-678 def=678+943 , ghi=678-123
| fields abc,def,ghi
| join type=inner abc,def,ghi
[| search index=index2]

gcusello · ‎06-28-2022

Hi @madhukar3us ,

if you need to use the result of a subquery to search as text in the main search, you have to follow this approach

supposing that the field in the subsearch containing the values to search is "my_field"

your_main_search [ search your_secondary_search  rename my_field AS query | fields query ]

Ciao.

Giuseppe

danielcj · ‎06-28-2022

Hello @madhukar3us ,

Could you please provide more information? Are these values on the same field? Could you also share some log samples?

Thanks.

Subsearch: How to create a search which returns multiple values?

other

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life