Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Questions about federated search subsearch?

KwonTaeHoon
Path Finder
‎02-28-2023 12:24 AM

Hello

I want to ask a question about subsearch.

When submitting a fed command without using it, an error message occurs as follows.

Before setting federated search ]

index=fw | join src_ip [ sourcetype=ips | stats count by src_ip ]

>> Result : OK

After setting federated search ]

index=fw | join src_ip [ sourcetype=ips | stats count by src_ip ]

>> Result : NG
Error : Search command can only accept one federated index.

Is there any solution?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

nejmeddine
Loves-to-Learn
‎05-04-2023 07:30 AM

can i use federated search between different versions splunk ?

0 Karma
Reply
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...