Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

subsearch join

sarit_s
Communicator
‎01-17-2022 06:35 AM

Hello

I have a field that does not return results when searching for specific string. 

i need to combine two searches so i will be able to return this field + other results from the search with the specific string

this is my query :

 

sourcetype=clientlogs OR sourcetype="client-logs-api" 
Categories="Login"
| stats count(eval( Message="Unable to load " OR Message="Unable to load from SDK")) as Faliure, values(Message) as Message values(IPAddress) as IPAddress, values(Url) as url by Country SessionGuid 

| appendpipe 
    [ stats sum(Faliure) as Faliure 
    | fillnull value=0 Faliure 
    | eval Country="TOTAL" ] 
| appendpipe 
    [ stats count(SessionGuid) as FailedSessions 
    | eval Country="TOTAL",Faliure="Faliure"] 
]
| table SessionGuid IPAddress Country Faliure Message FailedSessions url 
| sort - Faliure

 

i need to add the field CID which return no results when searching for the message at the beginning of the query 

how can i join them together so i will see in the table also the values of CID ?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-17-2022 07:01 AM

I am not sure I understand the requirement - do you want a list of CID where Categories != "Login" or a list of CID where message = "Unable to load " OR message = "Unable to load from SDK" or a list of CID where message != "Unable to load " AND message != "Unable to load from SDK" or something else?

0 Karma
Reply

sarit_s
Communicator
‎01-17-2022 07:02 AM

I want list of CID's when 

sourcetype=clientlogs OR sourcetype="client-logs-api"

and add it to the table

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-17-2022 07:09 AM 
| append [search sourcetype=clientlogs OR sourcetype="client-logs-api"
| stats values(CID) as CID]
0 Karma
Reply

sarit_s
Communicator
‎01-17-2022 07:13 AM

CID still empty

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-17-2022 08:26 AM

So CID doesn't exist in these sourcetypes?

If it does, how would you list them?

0 Karma
Reply

sarit_s
Communicator
‎01-17-2022 08:30 AM

It does. 
if im searching only for those sourcetyps i can find CID

but when i append this search with the rest it returns empty

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...