Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to use FORMAT search command in a subsearch

dmlee
Communicator
‎06-21-2010 03:30 PM

Hi,

I have a BlueCoat Proxy log in main index

if I run 

index="main" sourcetype="bcoat_proxysg" cn="*" | head 10

Splunk returns first 10 events which have cn="*", good!

but if I run 

index="main" sourcetype="bcoat_proxysg" [search sourcetype="bcoat_proxysg" cn="*" | head 10 |fields cn | format]

Splunk returns 0 events !

I tried to figure out what is the problem, so I run 

index="main" sourcetype="bcoat_proxysg" cn="*" | head 10 | fields cn | format

Splunk returns :

( ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) )

then I tried this : 

index="main" sourcetype="bcoat_proxysg" cn="*" ( ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) )

Splunk returns many events which has cn="Sales"

so, I don't know why I got 0 event when I use search command as below : 

index="main" sourcetype="bcoat_proxysg" [search sourcetype="bcoat_proxysg" cn="*" | head 10 |fields cn | format]
Tags (1)
0 Karma
Reply

ramanjain1983
Path Finder
‎01-30-2014 05:49 AM

any further response on this please.

0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎06-21-2010 06:48 PM

Do you have any fields set to the literal asterisk? We have some trouble with that sort of thing.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎06-21-2010 04:59 PM

There might be a bug such that subsearches do not perform "Private" extractions correctly. Is the field extraction for the the cn field either "App" or "Global", or is it "Private"?

0 Karma
Reply

dmlee
Communicator
‎08-05-2010 12:29 AM

Hi Gkanapathy, here is another case we filed yesterday : http://answers.splunk.com/questions/5296/field-extraction-stopped-working-after-upgrade-from-4-1-3-t... . I don't know if it is the same problem, thanks.

0 Karma
Reply

dmlee
Communicator
‎06-22-2010 08:54 AM

Hi Jrodman , gkanapathy,
thanks for your reply.
because the filed "cn" was extracted by Splunk automatically , not by user, so I think "cn" is not private field.

the event looks like :
2010-4-22 10:27:29 83 10.103.1.215 anthony.keller cn=Sales,ou=groups,dc=acme,dc=com - OBSERVED "Web Advertisements" http://view.atdmt.com/VON/iview/yhxxxvos0160000076von/direct/01/?time=1190758799040297&click=http://... 200 TCP_HIT GET image/gif http spe.atdmt.com 80 ...

0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎06-21-2010 06:47 PM

There's definitely a bug that subsearches don't look at per-user data. Andrea is working on it.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...