Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use FORMAT search command in a subsearch

dmlee
Communicator
‎06-21-2010 03:30 PM

Hi,

I have a BlueCoat Proxy log in main index

if I run 

index="main" sourcetype="bcoat_proxysg" cn="*" | head 10

Splunk returns first 10 events which have cn="*", good!

but if I run 

index="main" sourcetype="bcoat_proxysg" [search sourcetype="bcoat_proxysg" cn="*" | head 10 |fields cn | format]

Splunk returns 0 events !

I tried to figure out what is the problem, so I run 

index="main" sourcetype="bcoat_proxysg" cn="*" | head 10 | fields cn | format

Splunk returns :

( ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) )

then I tried this : 

index="main" sourcetype="bcoat_proxysg" cn="*" ( ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) )

Splunk returns many events which has cn="Sales"

so, I don't know why I got 0 event when I use search command as below : 

index="main" sourcetype="bcoat_proxysg" [search sourcetype="bcoat_proxysg" cn="*" | head 10 |fields cn | format]
Tags (1)
0 Karma
Reply

ramanjain1983
Path Finder
‎01-30-2014 05:49 AM

any further response on this please.

0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎06-21-2010 06:48 PM

Do you have any fields set to the literal asterisk? We have some trouble with that sort of thing.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎06-21-2010 04:59 PM

There might be a bug such that subsearches do not perform "Private" extractions correctly. Is the field extraction for the the cn field either "App" or "Global", or is it "Private"?

0 Karma
Reply

dmlee
Communicator
‎08-05-2010 12:29 AM

Hi Gkanapathy, here is another case we filed yesterday : http://answers.splunk.com/questions/5296/field-extraction-stopped-working-after-upgrade-from-4-1-3-t... . I don't know if it is the same problem, thanks.

0 Karma
Reply

dmlee
Communicator
‎06-22-2010 08:54 AM

Hi Jrodman , gkanapathy,
thanks for your reply.
because the filed "cn" was extracted by Splunk automatically , not by user, so I think "cn" is not private field.

the event looks like :
2010-4-22 10:27:29 83 10.103.1.215 anthony.keller cn=Sales,ou=groups,dc=acme,dc=com - OBSERVED "Web Advertisements" http://view.atdmt.com/VON/iview/yhxxxvos0160000076von/direct/01/?time=1190758799040297&click=http://... 200 TCP_HIT GET image/gif http spe.atdmt.com 80 ...

0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎06-21-2010 06:47 PM

There's definitely a bug that subsearches don't look at per-user data. Andrea is working on it.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...