Splunk Search

How to return raw data results from subsearch query?

anilchauhanmanu
Explorer

I can't return _raw data from subsearch as below , but i can find this raw data if i use it in separate main search .
I'm able to get _raw data when this join was not working properly if i remove ESBDPUUID from main search.

index=esb_dev earliest=-14d@d latest=@d sourcetype="datapower_audit" status="FAILURE" OR STATUS="ERROR" |stats values(ESBDPUUID),values(status),count by ESBDPUUID,host,svc_bp_name _time | join type=left ESBDPUUID[search index=esb_dev sourcetype="datapower_Error" |table _raw ]

this is not displaying the result but when i remove table _raw then i can see the result well.

Tags (3)
1 Solution

peter_krammer
Communicator

Have you tried renaming your _raw in the subsearch and return it with the ESBDPUUID to the main search:

index=esb_dev earliest=-14d@d latest=@d sourcetype="datapower_audit" status="FAILURE" OR STATUS="ERROR" |stats values(ESBDPUUID),values(status),count by ESBDPUUID,host,svc_bp_name _time | join type=left ESBDPUUID [search index=esb_dev sourcetype="datapower_Error" | eval sub_raw = _raw | table ESBDPUUID, sub_raw ]

View solution in original post

peter_krammer
Communicator

Have you tried renaming your _raw in the subsearch and return it with the ESBDPUUID to the main search:

index=esb_dev earliest=-14d@d latest=@d sourcetype="datapower_audit" status="FAILURE" OR STATUS="ERROR" |stats values(ESBDPUUID),values(status),count by ESBDPUUID,host,svc_bp_name _time | join type=left ESBDPUUID [search index=esb_dev sourcetype="datapower_Error" | eval sub_raw = _raw | table ESBDPUUID, sub_raw ]

anilchauhanmanu
Explorer

thanks peter its working..Really thanks a lot.

0 Karma

aweitzman
Motivator

If you use a join there needs to be a field with the same name in the subsearch (in your case, ESBDPUUID). By adding table _raw to the subsearch, you eliminate all of the fields except for _raw, which means that there is no ESBDPUUID field to join on anymore. That's why your search fails when it's there, and succeeds when it's not.

What happens if you add table ESBDPUUID _raw in the subsearch instead? Does that get you what you want?

anilchauhanmanu
Explorer

HI buddy, thanks for for your suggestion buddy but its not working even i have put this also | ESBDPUUID _raw.It only shows result when i remove these table and put only query then it combines with each field and shows result.\
It even not creating field with blank values when i put ESBDPUUID but creates a feild if i put something random like ESB or any other feild.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...