Splunk Search

How to get the values inside search

New Member

hello, my problem is:

when I type the query in the search bar, such as:

source="number.txt"

it will so like that:

Number UV count 1 avc 11 2 bbb 13 3 ddd 14 . . . . .

How can I get the string value inside this ? such as: only bbb (string)

because I want to use this string value bbb to do the subsearch

I can filter to only see bbb in the result but i can't use the actual truth string value

to do the comparison in subsearch

may be i want to do like this in sql:

select * from table 1 where uv=(select uv from table2)

Tags (1)
0 Karma
1 Solution

Motivator

Is your "bbb" value being automatically extracted as a field? If not, try to extract it as a field first before performing the search. See http://www.splunk.com/base/Documentation/4.1.3/User/ExtractNewFields for more info.

Let's assume you have the field with the possible "bbb" value extracted as custom_field. Here is how you would pass this value from a subsearch to the outer search:

* [search source=numbers.txt | fields + custom_field | dedup custom_field | format]

Here is what this search will do:

  1. The search inside [] will be done first
  2. Search only source numbers.txt (source=numbers.txt)
  3. Retain only the custom_field field (fields + custom_field)
  4. Remove duplicates from the custom_field field (dedup custom_field)
  5. Pass the values of custom_field to the outer search (format)
  6. Search everything that has the custom field values our subsearch returned (*). Of course this could also be any number of search criteria.

Try running just the subsearch source=numbers.txt | fields + custom_field | dedup custom_field | format by itself to see what the output of the format command is.

For more info on subsearches see http://www.splunk.com/base/Documentation/4.1.3/User/HowSubsearchesWork

[Edit]

In response to your comment, modify the search as follows to only receive the value from the subsearch, no parenthesis or anything else:

* [search source=numbers.txt | fields + custom_field | dedup custom_field | rename custom_field as search | format "" "" "" "" "" ""]

View solution in original post

Motivator

I edited my original answer to answer the question you posed in your comment..

0 Karma

Motivator

Is your "bbb" value being automatically extracted as a field? If not, try to extract it as a field first before performing the search. See http://www.splunk.com/base/Documentation/4.1.3/User/ExtractNewFields for more info.

Let's assume you have the field with the possible "bbb" value extracted as custom_field. Here is how you would pass this value from a subsearch to the outer search:

* [search source=numbers.txt | fields + custom_field | dedup custom_field | format]

Here is what this search will do:

  1. The search inside [] will be done first
  2. Search only source numbers.txt (source=numbers.txt)
  3. Retain only the custom_field field (fields + custom_field)
  4. Remove duplicates from the custom_field field (dedup custom_field)
  5. Pass the values of custom_field to the outer search (format)
  6. Search everything that has the custom field values our subsearch returned (*). Of course this could also be any number of search criteria.

Try running just the subsearch source=numbers.txt | fields + custom_field | dedup custom_field | format by itself to see what the output of the format command is.

For more info on subsearches see http://www.splunk.com/base/Documentation/4.1.3/User/HowSubsearchesWork

[Edit]

In response to your comment, modify the search as follows to only receive the value from the subsearch, no parenthesis or anything else:

* [search source=numbers.txt | fields + custom_field | dedup custom_field | rename custom_field as search | format "" "" "" "" "" ""]

View solution in original post

New Member

Hello... when I type source="number.txt"|where NO=1|fields + UV|dedup UV|format

and then it shows the result like that:

((UV="U13_V4200_02"))

But when I add the [search ........]

it also can not put the value to the outler search

I have a question that can i get the result like that:

U13_V4200_02

that means only have the string and do not have (( )) and ""

0 Karma

Splunk Employee
Splunk Employee

Hi sony_1688,

it looks like you have some raw text data here and I hope i got your question right.

What I would suggest here is to use a filed extraction for the value bbb (i.e. myField).

Have a look here how to use field extraction:

http://www.splunk.com/base/Documentation/4.1.3/User/ExtractNewFields

Then use a search that includes myField="bbb" in the subsearch to filter your data.

Hope that helps!

Cheers,

Christian

New Member

Firstly, thank you for your help. And I can do myField="bbb" in this way. But my problem is, when I using subsearch, the problem like that

myField="[sources="Number.txt" where Number="1"]"

I can not do like this.Because the value that I need which is dynamic according to that subsearch

0 Karma