Dashboards & Visualizations

The Results from a Subsearch Need to be Used as an OR in the Main Search

Builder

Hello,
I have a main search, with an append command.
Some events contain just the user; others just the addr; and still others both the user and the addr. The issue is I only know user. However, to find events which contain just the addr I need to search the log for events where the user!="" and where addr!="". Then I can run a new search on log with $addr=addr. I will use dedup at the end.

|append
              [  search index ="events"
                AND source="log" 
                AND (user="$userId_tok$"
                  OR [ search index ="events"
                     AND source="/log"  
                     AND user="$userId_tok$"
                    | head limit=1
                    | eval addr="\"".addr."\""
                    | return $addr ]

Can OR work with subsearches?

I hope that makes sense.

Thanks and God bless,
Genesius

0 Karma
1 Solution

Esteemed Legend

The way that subsearches work by default is that the fields within a row are combined with AND and then rows are combined with OR. You can see what is done by running your subsearch and then adding | format to the end and it will show you the SPL that it will generate. Additionally, the format command allows you to change the AND to OR or the OR to AND if you like, by passing the appropriate arguments. Check it out:
https://docs.splunk.com/Documentation/Splunk/latest/Search/Changetheformatofsubsearchresults

View solution in original post

0 Karma

Esteemed Legend

The way that subsearches work by default is that the fields within a row are combined with AND and then rows are combined with OR. You can see what is done by running your subsearch and then adding | format to the end and it will show you the SPL that it will generate. Additionally, the format command allows you to change the AND to OR or the OR to AND if you like, by passing the appropriate arguments. Check it out:
https://docs.splunk.com/Documentation/Splunk/latest/Search/Changetheformatofsubsearchresults

View solution in original post

0 Karma

Builder

@woodcock ,
I want to thank you for your reply. I will check into later this afternoon. I'm prepping for a meeting.
Thanks and God bless,
Genesius

Builder

@woodcock
As this is a new Splunk implementation, before I get a chance to complete one thing, another is tossed our way.
I am getting back to old forum posts to thanks people and close.
Using | format and the supplied link have been a great education.

Apologies for the delay.
Thanks and God bless,
Genesius

Esteemed Legend

Be sure to come back and click Accept to close the question and UpVote and useful answers or comments.

0 Karma

Builder

@woodcock
Got it. Done.
I saw the Accept button over my response and thought I would be accepting mine and not yours. Thanks and God bless,
Genesius

SplunkTrust
SplunkTrust

It should work with OR (your just need to ensure that proper brackets are placed so that your logic is correct. Your second subsearch is just returning the value (because of dollar sign), so your search becomes this

search index ="events"
                 AND source="log" 
                 AND (user="$userId_tok$"
                   OR ("address_value_returned_from_subsearch")

That is intentional right?

0 Karma

Builder

@somesoni2
Yes. Don't forget the trailing ).

AND (user="$userId_tok$"
OR ("address_value_returned_from_subsearch"))

Thanks and God bless,
Genesius

0 Karma

Builder

@somesoni2
Also, here is the error message.

Error in 'SearchParser': Subsearches are only valid as arguments to commands.

Thanks and God bless,
Genesius

0 Karma

SplunkTrust
SplunkTrust

What's your full search?

0 Karma

Builder

@somesoni2
As this is a new Splunk implementation, before I get a chance to complete one thing, another is tossed our way.
I am getting back to old forum posts to thanks people and close.
Apologies for the delay.
Thanks and God bless,
Genesius

0 Karma