Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create a subsearch with multiple results?

trucall
New Member
‎06-12-2019 12:07 AM

Hi,

I've a question about sub search, I'm probably misunderstanding docs and other posts.

This is my search:

index=MyIndex [ search index=MyIndex host=as-x | rex " info about (?[A-Z0-9]+)"| rename objectId as search  ] stringFilter

The subsearch, executed as a normal search, produce many results, so many objectId.

My expectations is that the final search is like this below:

index=MyIndex (objectId-1 OR objectId-2 OR objectId-3)  stringFilter

The behavior is different, only one objectId is used to search and the final search is similar to this:

index=MyIndex (objectId-1)  stringFilter

I don't understand why and what I need to change in order to process all objects of subsearch resultset.

Thanks for any kind help

Marcello

0 Karma
Reply

woodcock
Esteemed Legend
‎06-15-2019 03:20 PM

Yo mcfly, @trucall, we've got answers for you, did anything work?

0 Karma
Reply

woodcock
Esteemed Legend
‎06-12-2019 03:11 PM

You are taking over too much control and doing it all wrong. Start with this:

index=MyIndex host=as-x | rex " info about (?[A-Z0-9]+)" | stats count BY objectId

See what this produces and then switch to this:

index=MyIndex host=as-x | rex " info about (?[A-Z0-9]+)" | stats count BY objectId | fields - count | format

See what this produces and then switch to this:

index=MyIndex host=as-x | rex " info about (?[A-Z0-9]+)" | stats count BY objectId | fields - count | format "(" "" "" "" "OR" ")" | rex field=search mode=sed "s/objectId =//g"

See what this produces and then switch to this:

index=MyIndex [ search index=MyIndex host=as-x | rex " info about (?[A-Z0-9]+)" | stats count BY objectId | fields - count | format "(" "" "" "" "OR" ")" | rex field=search mode=sed "s/objectId =//g" ] stringFilter
0 Karma
Reply

FrankVl
Ultra Champion
‎06-13-2019 12:07 AM

Using format will result in the subsearch returning something like (objectId="123" OR objectId="456"), which wont work given that objectId apparently is not an extracted field. He wants the subsearch to only return the values, to then work as a string filter.

Reply

woodcock
Esteemed Legend
‎06-13-2019 02:21 PM

Ah, based on this clarification, I have modified my original answer above.

Reply

FrankVl
Ultra Champion
‎06-13-2019 11:28 PM

I trust you meant | rex field=search mode=sed "s/objectId=//g" 🙂

Reply

woodcock
Esteemed Legend
‎06-14-2019 07:56 AM

ARGH! Yes, you are right (I edited and fixed that, too). I was using a run-anywhere search to test but forgot to convert that part when I posted the answer. Thank you for grading my papers.

Reply

FrankVl
Ultra Champion
‎06-12-2019 05:53 AM

Probably because your subsearch does not have any transforming commands. I think the following should work:

index=MyIndex [ search index=MyIndex host=as-x | rex " info about (?<objectId>[A-Z0-9]+)"| stats values(objectId) as search | eval search = mvjoin(search," OR ") ] stringFilter

Note: if you make sure objectId is properly extracted (so you don't need rex for it), you can simply do:

index=MyIndex [ search index=MyIndex host=as-x | fields objectId | dedup objectId | format ] stringFilter
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...