Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Subsearch: How to create a search which returns multiple values?

madhukar3us
Engager
‎06-28-2022 09:49 AM

Hi,

I have a search query which returns multiple values. For example, the search query returns abc, def, ghi.

I need to take this as input and  i need to perform a search of these values. The logs contains the abc-123-678, def-678+943 , ghi-678-123 and i need to search the events that contains these strings.

Any suggestions?

 

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-28-2022 10:25 AM

Hi @madhukar3us ,

if you need to use the result of a subquery to search  as text in the main search, you have to follow this approach

supposing that the field in the subsearch containing the values to search is "my_field"

your_main_search [ search your_secondary_search  rename my_field AS query | fields query ]

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

marysan
Communicator
‎06-28-2022 11:57 PM

Hi
I suppose that you need join command for example :
index=index1 abc=123-678  def=678+943 , ghi=678-123
| fields abc,def,ghi
| join type=inner abc,def,ghi
 [| search index=index2]

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-28-2022 10:25 AM

Hi @madhukar3us ,

if you need to use the result of a subquery to search  as text in the main search, you have to follow this approach

supposing that the field in the subsearch containing the values to search is "my_field"

your_main_search [ search your_secondary_search  rename my_field AS query | fields query ]

Ciao.

Giuseppe

Reply
Solved! Jump to solution

danielcj
Communicator
‎06-28-2022 10:23 AM

Hello @madhukar3us ,

Could you please provide more information? Are these values on the same field? Could you also share some log samples?

 

Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...