How to create a subsearch with multiple results?

trucall · ‎06-12-2019

Hi,

I've a question about sub search, I'm probably misunderstanding docs and other posts.

This is my search:

index=MyIndex [ search index=MyIndex host=as-x | rex " info about (?[A-Z0-9]+)"| rename objectId as search  ] stringFilter

The subsearch, executed as a normal search, produce many results, so many objectId.

My expectations is that the final search is like this below:

index=MyIndex (objectId-1 OR objectId-2 OR objectId-3)  stringFilter

The behavior is different, only one objectId is used to search and the final search is similar to this:

index=MyIndex (objectId-1)  stringFilter

I don't understand why and what I need to change in order to process all objects of subsearch resultset.

Thanks for any kind help

Marcello

woodcock · ‎06-15-2019

Yo mcfly, @trucall, we've got answers for you, did anything work?

woodcock · ‎06-12-2019

You are taking over too much control and doing it all wrong. Start with this:

index=MyIndex host=as-x | rex " info about (?[A-Z0-9]+)" | stats count BY objectId

See what this produces and then switch to this:

index=MyIndex host=as-x | rex " info about (?[A-Z0-9]+)" | stats count BY objectId | fields - count | format

See what this produces and then switch to this:

index=MyIndex host=as-x | rex " info about (?[A-Z0-9]+)" | stats count BY objectId | fields - count | format "(" "" "" "" "OR" ")" | rex field=search mode=sed "s/objectId =//g"

See what this produces and then switch to this:

index=MyIndex [ search index=MyIndex host=as-x | rex " info about (?[A-Z0-9]+)" | stats count BY objectId | fields - count | format "(" "" "" "" "OR" ")" | rex field=search mode=sed "s/objectId =//g" ] stringFilter

FrankVl · ‎06-13-2019

Using format will result in the subsearch returning something like (objectId="123" OR objectId="456"), which wont work given that objectId apparently is not an extracted field. He wants the subsearch to only return the values, to then work as a string filter.

woodcock · ‎06-13-2019

Ah, based on this clarification, I have modified my original answer above.

FrankVl · ‎06-13-2019

I trust you meant | rex field=search mode=sed "s/objectId=//g" 🙂

woodcock · ‎06-14-2019

ARGH! Yes, you are right (I edited and fixed that, too). I was using a run-anywhere search to test but forgot to convert that part when I posted the answer. Thank you for grading my papers.

FrankVl · ‎06-12-2019

Probably because your subsearch does not have any transforming commands. I think the following should work:

index=MyIndex [ search index=MyIndex host=as-x | rex " info about (?<objectId>[A-Z0-9]+)"| stats values(objectId) as search | eval search = mvjoin(search," OR ") ] stringFilter

Note: if you make sure objectId is properly extracted (so you don't need rex for it), you can simply do:

index=MyIndex [ search index=MyIndex host=as-x | fields objectId | dedup objectId | format ] stringFilter

How to create a subsearch with multiple results?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation

How to create a subsearch with multiple results?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability