Solved: Can you help me with a subsearch?

jip31 · ‎02-23-2019

Hi,

I use the search below in order to display the model of a host for only the host which has a Wear_Rate>0

But the Model field is empty.

Could you help me to display the model for all the machines which have a Wear_Rate>0 please??

eventtype=Charge AND (NOT host=E* AND NOT host=I*) 
| stats first(FullChargedCapacity) AS FullChargedCapacity first(DesignedCapacity) AS DesignedCapacity first(_time) AS _time BY host 
| eval time = strftime(_time, "%m/%d/%Y %H:%M") 
| eval Wear_Rate = 100-(FullChargedCapacity *100/DesignedCapacity) 
| where Wear_Rate >0
| dedup host
| join type="outer" 
    [ search index="x" sourcetype="x" 
    | rex "Model=(?<model>.*)" 
    | stats values(model) as Model by host 
  ]

cvssravan · ‎02-23-2019

One basic observation is, you missed to mention the field on which you want to join, see below:

| join type="outer" host

try this and let me know if it worked

View solution in original post

cvssravan · ‎02-23-2019

One basic observation is, you missed to mention the field on which you want to join, see below:

| join type="outer" host

try this and let me know if it worked

jip31 · ‎02-23-2019

yes thanks

Can you help me with a subsearch?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

Can you help me with a subsearch?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!