- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: subsearch with static result
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to achieve subsearch with static result?
I want to achieve something like this:
index=main servicetype="aws:accesslogs" (apps in ("app1","app2","app3"))
note: app1, app2, app3 are static value which is extracted from static json object (not coming from search)
I want to build subsearch to get the extract values from json and use it in primary search. Which of the generating command i can use in subsearch?
I am not getting result when i use search command. when i run the subsearch separately with makeresults i get the value.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it is not working when ending up fields also.
This is what i am testing:
index=main servicetype="aws:accesslogs" [ search | eval prods="[{\"product\":\"101\",\"color\":[\"red\",\"green\",\"blue\"]},{\"product\":\"102\",\"color\":[\"yellow\",\"green\"]}]" | spath path={} input=prods output=prodcols| mvexpand prodcols| spath input=prodcols | rename color{} as colors | where 'product' = "102" | eval result="app/".mvjoin(colors,",app/") | rex field=result mode=sed "s/,/*,/g" | eval result=result."*" | eval apps=split(result,",") | fields apps
When i replace the string coming from |format into main query, i am getting the result.
Can you please check what is wrong in this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @biju_babu,
you have to create a subsearch endinf with the "| fields app" command.
Put attention tat the field name "app" must be the same both in the main search and in subsearch, in other words, rename the field in subsearch to have the same field name of the main search:
index=main servicetype="aws:accesslogs" [ search <your_search> | spath | rename xxx.apps AS apps | fields apps ]
| ...Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it is not working when ending up fields also.
This is what i am testing:
index=main servicetype="aws:accesslogs" [ search | eval prods="[{\"product\":\"101\",\"color\":[\"red\",\"green\",\"blue\"]},{\"product\":\"102\",\"color\":[\"yellow\",\"green\"]}]" | spath path={} input=prods output=prodcols| mvexpand prodcols| spath input=prodcols | rename color{} as colors | where 'product' = "102" | eval result="app/".mvjoin(colors,",app/") | rex field=result mode=sed "s/,/*,/g" | eval result=result."*" | eval apps=split(result,",") | fields apps
When i replace the string coming from |format into main query, i am getting the result.
Can you please check what is wrong in this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @biju_babu,
in the subsearch, you have to insert the full search, not part of it:
index=main servicetype="aws:accesslogs" [ search index=main servicetype="aws:accesslogs" | eval prods="[{\"product\":\"101\",\"color\":[\"red\",\"green\",\"blue\"]},{\"product\":\"102\",\"color\":[\"yellow\",\"green\"]}]" | spath path={} input=prods output=prodcols| mvexpand prodcols| spath input=prodcols | rename color{} as colors | where 'product' = "102" | eval result="app/".mvjoin(colors,",app/") | rex field=result mode=sed "s/,/*,/g" | eval result=result."*" | eval apps=split(result,",") | fields apps]Then check what's the result of the subsearch running it by itself and vieving is you have a list of apps.
If yes, it's correct.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @biju_babu,
let me know if you need more help on this issue, otherwise, please accept one naser for the other people of Community.
Ciao.
Giuseppe
P.S.: Karma Points are appreciated 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is what my initial question was. I don't want to do a search as the value i am expecting from subsearch is static. Is there any other way to get result?
With full search, results is getting repeated for the given time duration.
Verified the result with | makeresults. I am getting the result as
(((apps="app/yellow*" OR apps="app/green*")))
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
