Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you return multiple fields from a subsearch to a main search?

yepyepyayyooo
New Member
‎03-01-2019 07:51 AM

I'm 99% there guys. The query works fine. Soliciting assistance getting me to the end zone. Would like to also include v_user_name in the main search results table. How would one achieve this...

index="bro" sourcetype="bro_http" dest_ipi_zone="EXT" user_agent="*Mozilla*"
    [search index="sep" sourcetype="sep:server_client_log" [| inputlookup watcher_list | fields v_user_name ]
    | stats count values(dest_ip) as dest_ip by v_user_name
    | fields dest_ip
    | rename dest_ip as id.orig_h
    | format ]
| table _time id.orig_h id.resp_h id.resp_p method domain uri post_body
0 Karma
Reply

jeffbat
Path Finder
‎03-01-2019 02:47 PM

You need to add v_user_name to line 4 as well as to the table line in 7.

In line 4 you are saying what fields to keep going forward and all you are bringing back from the subsearch is dest_ip

0 Karma
Reply

yepyepyayyooo
New Member
‎03-04-2019 05:57 AM

Unfortunately, adding v_user_name as an additional field in line 4 causes the query to return zero results. Also attempted adding via line 3 and output as a different name, yielded same results.

0 Karma
Reply

damann
Communicator
‎03-01-2019 08:16 AM

have you tried to add v_user_nameto your table in line 7?
... | table _time id.orig_h id.resp_h id.resp_p method domain uri post_body v_user_name

0 Karma
Reply

yepyepyayyooo
New Member
‎03-01-2019 08:24 AM

Yes, I've tried adding the value to the table in the main search. The results are blank. The value isn't being fed to the main search.

0 Karma
Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Automatic Discovery Part 2: Setup and Best Practices

In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...