Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search error messages in log file?

akothapx
Engager
‎05-29-2023 10:15 PM

Hi, I am new to Splunk. How to search error messages in the log file using SPL.
I am using the below formats to search for error messages.
source="sample_logcat.txt" host="debug" sourcetype="Android log" | head 20
source="sample_logcat.txt" host="debug" sourcetype="Android log" | tail 4
error* AND * | search iwlwifi
error* AND * | search Bluetooth

Is sub-search possible in Splunk? Can we search the result of a secondary or inner query as the input to the primary or outer question? 

If possible can anyone explain in detail?

Labels (2)
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-29-2023 11:26 PM

Hi @akothapx,

answering to your questions:

Is sub-search possible in Splunk?

Yes, is possible, beware only to one thing: the field names in main and sub search must be the same (field names are case sensitive).

Can we search the result of a secondary or inner query as the input to the primary or outer question? 

yes, remember only that a sunsearch has the limit of 50,000 results.

In addition, it's ab est practice to put the search terms as left as possible, so it isn't a good idea to user a main search and after use the search command as you did:

source="sample_logcat.txt" host="debug" sourcetype="Android log" (iwlwifi OR Bluetooth)

if you haven't experience in SPL, follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial) to understand how SPL works.

In addition there are many interesting videos in the YouTube Splunk Channel: https://www.youtube.com/@Splunkofficial

Ciao.

Giuseppe

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

akothapx
Engager
‎05-29-2023 11:45 PM

Thanks for the response @gcusello 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-29-2023 11:46 PM

Hi @akothapx ,

if one answer solves your need, please accept one answer for the other people of Community or tell me how I can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-29-2023 11:26 PM

Hi @akothapx,

answering to your questions:

Is sub-search possible in Splunk?

Yes, is possible, beware only to one thing: the field names in main and sub search must be the same (field names are case sensitive).

Can we search the result of a secondary or inner query as the input to the primary or outer question? 

yes, remember only that a sunsearch has the limit of 50,000 results.

In addition, it's ab est practice to put the search terms as left as possible, so it isn't a good idea to user a main search and after use the search command as you did:

source="sample_logcat.txt" host="debug" sourcetype="Android log" (iwlwifi OR Bluetooth)

if you haven't experience in SPL, follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial) to understand how SPL works.

In addition there are many interesting videos in the YouTube Splunk Channel: https://www.youtube.com/@Splunkofficial

Ciao.

Giuseppe

 

0 Karma
Reply
Get Updates on the Splunk Community!

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...

Video | Welcome Back to Smartness, Pedro

Remember Splunk Community member, Pedro Borges? If you tuned into Episode 2 of our Smartness interview series, ...

Detector Best Practices: Static Thresholds

Introduction In observability monitoring, static thresholds are used to monitor fixed, known values within ...