- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to use a subsearch to search across two in...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have one ID in a particular index and using that I want to find events in another index.
My search looks like this -
index=abc_test [ search index=xyz_test 12345 | stats latest(xyzID) as xyzID | fields xyzID ] | table _time, _raw
Basically, in my index abc_test, I have the value of xyzID, but with a different field name. So here I just want to see all events that contain the value of xyzID. But this search is giving me no results found. When I run these two commands individually I am getting results:
index=xyz_test 12345 | stats latest(xyzID) as xyzID | fields xyzID gives me xyzID=56789
And when I search index=abc_test 56789 I am getting events. But in the subsearch format it is not working.
Can someone please suggest what is going wrong here?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Because you want to search on the field value, not the kv pair, you need to use the special column name "search" in the field name in the subsearch.
So:
index=abc_test [ search index=xyz_test 12345 | stats latest(xyzID) as xyzID | fields xyzID | rename xyzID as search ] | table _time, _raw
This will evaluate to:
index=abc_test ((56789))
rather than
index=abc_test ( ( xyzID="56789" ) )
See http://docs.splunk.com/Documentation/Splunk/7.1.3/Search/Changetheformatofsubsearchresults for more details.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Upas02,
if you have a different filename but the same values you have to rename it in the sub search:
index=abc_test [ search index=xyz_test 12345 | stats latest(xyzID) as abcID | fields abcID ]
| table _time, _raw
In other words: you must have the same filename in main and subsearch.
If instead you want to search the xyzID values in the all the main search results and not in a defined field:
index=abc_test [ search index=xyz_test 12345 | stats latest(xyzID) as xyzID | fields xyzID | rename xyzID as query]
| table _time, _raw
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Giuseppe, I understood you need to rename the search result to either search or query to get the result from outer query.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Because you want to search on the field value, not the kv pair, you need to use the special column name "search" in the field name in the subsearch.
So:
index=abc_test [ search index=xyz_test 12345 | stats latest(xyzID) as xyzID | fields xyzID | rename xyzID as search ] | table _time, _raw
This will evaluate to:
index=abc_test ((56789))
rather than
index=abc_test ( ( xyzID="56789" ) )
See http://docs.splunk.com/Documentation/Splunk/7.1.3/Search/Changetheformatofsubsearchresults for more details.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank Colin, It worked perfect..and thanks fo rsharing the docs link as well.
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
