Splunk Search

How to return subsearch field calculated by stats function?


Dear all,

If now I extract top 10 src-ip and use this src-ip to do further outer search, but I still wanna keep the field "count" calculated by "stats count by src-ip", how can I remain this field and its value or append to outer search? if I keep this count value, the outer search should not search anything due to not having the field named count.


Tags (2)
0 Karma

Splunk Employee
Splunk Employee

It depends on what you're looking for. Can you put your search in, or explain the situation a bit more?

One way that can make this work is to go:

YourOuterSearch | join src-ip [search YourInnerSearch | stats count by src-ip]

But that's almost certainly an inefficient way, and you we can get you a better one if you post some more details.

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!