Subsearch not working on Splunk Cloud

tomazenix · ‎09-22-2021

Hi,

This seems super dumb, but I've been fiddling with this for an embarrassingly long time now. It's been a couple of years since I've written any sub-searches.

I'm attempting to project data from the subqueries into a summary table (all from the same root search results)

This is running on splunk cloud under a trial license.

See dumbed down queries belong.

Happily returns a result:

index=xxx
| search index=xxx admintom | stats count as x | table x 
| table  x

Format returns nothing (`format` shows `NOT()`)

index=xxx
[ search index=xxx admintom | stats count as x | table x ]
| table  x

bowesmana · ‎09-22-2021

Your search which has the subsearch is doing

a) count the occurrence of 'adminton' in index=xxx

b) pass the result of that query as a search constraint to the outer search

i.e. if we assume the subsearch has run, your outer search is doing

index=xxx x=48
| table x

don't really understand what you're trying to do though, but I suspect that's not it?

Subsearch not working on Splunk Cloud

using Splunk Cloud

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Splunk App Dev Community Updates – What’s New and What’s Next

The Latest Cisco Integrations With Splunk Platform!

Are you a member of the Splunk Community?

Subsearch not working on Splunk Cloud

using Splunk Cloud

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Splunk App Dev Community Updates – What’s New and What’s Next

The Latest Cisco Integrations With Splunk Platform!