Splunk Enterprise Security
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Trying to add a sub_search that brings back the action field to the base search. Any help will be appreciated.

NanSplk01
Communicator
‎02-04-2025 11:39 AM

index=cim_modactions source=/opt/splunk/var/log/splunk/incident_ticket_creation_modalert.log host=sh* search_name=* source=* sourcetype=modular_alerts:incident_ticket_creation user=* action_mode=* action_status=* search_name=kafka* [| rest /servicesNS/-/-/saved/searches
| search title=kafka*
| rename dispatch.earliest_time AS "frequency", title AS "title", eai:acl.app AS "app", next_scheduled_time AS "nextRunTime", search AS "query", updated AS "lastUpdated", action.email.to AS "emailTo", action.email.cc AS "emailCC", action.email.subject AS "emailSubject", alert.severity AS "SEV"
| eval severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1")
| eval identifierDate=now()
| convert ctime(identifierDate) AS identifierDate
| table identifierDate title lastUpdated, nextRunTime, emailTo, query, severity, emailTo, actions
| fillnull value=""
| sort -lastUpdated actions]
| table user search_name action_status date_month date_year _time

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-04-2025 03:13 PM

It is not clear what you are trying to do with your sub-search. Please clarify in non-SPL terms, what it is that you are trying to achieve.

0 Karma
Reply

NanSplk01
Communicator
‎02-05-2025 03:53 AM

All I want to get from the subsearch is to bring back the field actions.  It can probably be a much smaller search.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-05-2025 06:23 AM 
index=cim_modactions source=/opt/splunk/var/log/splunk/incident_ticket_creation_modalert.log host=sh* search_name=* source=* sourcetype=modular_alerts:incident_ticket_creation user=* action_mode=* action_status=* search_name=kafka* [| rest /servicesNS/-/-/saved/searches
| search title=kafka*
| stats count by actions
| table actions]
| table user search_name action_status date_month date_year _time
0 Karma
Reply
Get Updates on the Splunk Community!

Get Schooled with Splunk Education: Explore Our Latest Courses

At Splunk Education, we’re dedicated to providing incredible learning experiences that cater to every skill ...

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top