I have one ID in a particular index and using that I want to find events in another index.
My search looks like this -
index=abc_test [ search index=xyz_test 12345 | stats latest(xyzID) as xyzID | fields xyzID ] | table _time, _raw
Basically, in my index abc_test, I have the value of xyzID, but with a different field name. So here I just want to see all events that contain the value of xyzID. But this search is giving me no results found. When I run these two commands individually I am getting results:
index=xyz_test 12345 | stats latest(xyzID) as xyzID | fields xyzID gives me xyzID=56789
And when I search index=abc_test 56789 I am getting events. But in the subsearch format it is not working.
Can someone please suggest what is going wrong here?
Because you want to search on the field value, not the kv pair, you need to use the special column name "search" in the field name in the subsearch.
So:
index=abc_test [ search index=xyz_test 12345 | stats latest(xyzID) as xyzID | fields xyzID | rename xyzID as search ] | table _time, _raw
This will evaluate to:
index=abc_test ((56789))
rather than
index=abc_test ( ( xyzID="56789" ) )
See http://docs.splunk.com/Documentation/Splunk/7.1.3/Search/Changetheformatofsubsearchresults for more details.
Hi Upas02,
if you have a different filename but the same values you have to rename it in the sub search:
index=abc_test [ search index=xyz_test 12345 | stats latest(xyzID) as abcID | fields abcID ]
| table _time, _raw
In other words: you must have the same filename in main and subsearch.
If instead you want to search the xyzID values in the all the main search results and not in a defined field:
index=abc_test [ search index=xyz_test 12345 | stats latest(xyzID) as xyzID | fields xyzID | rename xyzID as query]
| table _time, _raw
Bye.
Giuseppe
Thanks Giuseppe, I understood you need to rename the search result to either search or query to get the result from outer query.
Because you want to search on the field value, not the kv pair, you need to use the special column name "search" in the field name in the subsearch.
So:
index=abc_test [ search index=xyz_test 12345 | stats latest(xyzID) as xyzID | fields xyzID | rename xyzID as search ] | table _time, _raw
This will evaluate to:
index=abc_test ((56789))
rather than
index=abc_test ( ( xyzID="56789" ) )
See http://docs.splunk.com/Documentation/Splunk/7.1.3/Search/Changetheformatofsubsearchresults for more details.
Thank Colin, It worked perfect..and thanks fo rsharing the docs link as well.