Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to use FORMAT search command in a subsearch

dmlee
Communicator
‎06-21-2010 03:30 PM

Hi,

I have a BlueCoat Proxy log in main index

if I run 

index="main" sourcetype="bcoat_proxysg" cn="*" | head 10

Splunk returns first 10 events which have cn="*", good!

but if I run 

index="main" sourcetype="bcoat_proxysg" [search sourcetype="bcoat_proxysg" cn="*" | head 10 |fields cn | format]

Splunk returns 0 events !

I tried to figure out what is the problem, so I run 

index="main" sourcetype="bcoat_proxysg" cn="*" | head 10 | fields cn | format

Splunk returns :

( ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) )

then I tried this : 

index="main" sourcetype="bcoat_proxysg" cn="*" ( ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) )

Splunk returns many events which has cn="Sales"

so, I don't know why I got 0 event when I use search command as below : 

index="main" sourcetype="bcoat_proxysg" [search sourcetype="bcoat_proxysg" cn="*" | head 10 |fields cn | format]
Tags (1)
0 Karma
Reply

ramanjain1983
Path Finder
‎01-30-2014 05:49 AM

any further response on this please.

0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎06-21-2010 06:48 PM

Do you have any fields set to the literal asterisk? We have some trouble with that sort of thing.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎06-21-2010 04:59 PM

There might be a bug such that subsearches do not perform "Private" extractions correctly. Is the field extraction for the the cn field either "App" or "Global", or is it "Private"?

0 Karma
Reply

dmlee
Communicator
‎08-05-2010 12:29 AM

Hi Gkanapathy, here is another case we filed yesterday : http://answers.splunk.com/questions/5296/field-extraction-stopped-working-after-upgrade-from-4-1-3-t... . I don't know if it is the same problem, thanks.

0 Karma
Reply

dmlee
Communicator
‎06-22-2010 08:54 AM

Hi Jrodman , gkanapathy,
thanks for your reply.
because the filed "cn" was extracted by Splunk automatically , not by user, so I think "cn" is not private field.

the event looks like :
2010-4-22 10:27:29 83 10.103.1.215 anthony.keller cn=Sales,ou=groups,dc=acme,dc=com - OBSERVED "Web Advertisements" http://view.atdmt.com/VON/iview/yhxxxvos0160000076von/direct/01/?time=1190758799040297&click=http://... 200 TCP_HIT GET image/gif http spe.atdmt.com 80 ...

0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎06-21-2010 06:47 PM

There's definitely a bug that subsearches don't look at per-user data. Andrea is working on it.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...