Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use FORMAT search command in a subsearch

dmlee
Communicator
‎06-21-2010 03:30 PM

Hi,

I have a BlueCoat Proxy log in main index

if I run 

index="main" sourcetype="bcoat_proxysg" cn="*" | head 10

Splunk returns first 10 events which have cn="*", good!

but if I run 

index="main" sourcetype="bcoat_proxysg" [search sourcetype="bcoat_proxysg" cn="*" | head 10 |fields cn | format]

Splunk returns 0 events !

I tried to figure out what is the problem, so I run 

index="main" sourcetype="bcoat_proxysg" cn="*" | head 10 | fields cn | format

Splunk returns :

( ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) )

then I tried this : 

index="main" sourcetype="bcoat_proxysg" cn="*" ( ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) )

Splunk returns many events which has cn="Sales"

so, I don't know why I got 0 event when I use search command as below : 

index="main" sourcetype="bcoat_proxysg" [search sourcetype="bcoat_proxysg" cn="*" | head 10 |fields cn | format]
Tags (1)
0 Karma
Reply

ramanjain1983
Path Finder
‎01-30-2014 05:49 AM

any further response on this please.

0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎06-21-2010 06:48 PM

Do you have any fields set to the literal asterisk? We have some trouble with that sort of thing.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎06-21-2010 04:59 PM

There might be a bug such that subsearches do not perform "Private" extractions correctly. Is the field extraction for the the cn field either "App" or "Global", or is it "Private"?

0 Karma
Reply

dmlee
Communicator
‎08-05-2010 12:29 AM

Hi Gkanapathy, here is another case we filed yesterday : http://answers.splunk.com/questions/5296/field-extraction-stopped-working-after-upgrade-from-4-1-3-t... . I don't know if it is the same problem, thanks.

0 Karma
Reply

dmlee
Communicator
‎06-22-2010 08:54 AM

Hi Jrodman , gkanapathy,
thanks for your reply.
because the filed "cn" was extracted by Splunk automatically , not by user, so I think "cn" is not private field.

the event looks like :
2010-4-22 10:27:29 83 10.103.1.215 anthony.keller cn=Sales,ou=groups,dc=acme,dc=com - OBSERVED "Web Advertisements" http://view.atdmt.com/VON/iview/yhxxxvos0160000076von/direct/01/?time=1190758799040297&click=http://... 200 TCP_HIT GET image/gif http spe.atdmt.com 80 ...

0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎06-21-2010 06:47 PM

There's definitely a bug that subsearches don't look at per-user data. Andrea is working on it.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...