Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use data models in subsearch

eidil
Explorer
‎08-16-2020 08:21 PM

I am trying to use data models in my subsearch but it seems it returns 0 results.

| datamodel disk_forecast C_drive search
| join type=inner host_name
[

| datamodel disk_forecast C_drive search
| search value > 80
| stats count by host_name
| lookup host_tier.csv host_name output host_name, tier
| search tier = G
| fields host_name
]
|timechart span=1d first(value) by host_name limit=0

I tried using normal searches to replace the data model and it worked fine. Is there any restriction of using datamodel in subsearch?

Tags (1)
0 Karma
Reply

eidil
Explorer
‎08-17-2020 05:59 PM

because i'm trying to get results based on host_name in host_tier.csv with gold tier SLA

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-18-2020 06:14 AM
I still don't see the need for a join. The subsearch is matching events from the exact same main search, keeping only the events from the subsearch (type=inner), so you should only need the subsearch.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

eidil
Explorer
‎08-18-2020 07:32 PM

This query is just a part of some more complex query. the subsearch will return specific host name while the  main search will search the disk space volume at a specified time.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-17-2020 06:13 AM
Why are you joining a datamodel to itself? The result of the inner join should be the same as the subsearch.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...