Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use subsearch without a field name? (but just with field value for more than one fileld)

thanchen
Explorer
‎06-07-2023 01:03 AM

Here is the document, but how?

https://docs.splunk.com/Documentation/Splunk/8.2.6/Search/Changetheformatofsubsearchresults

 

 

 

Using the query field name
Use the query field name when you want the values in the fields returned from the subsearch, but not the field names.

The query field name is similarly to using the format command. Instead of passing the field and value pairs to the main search, such as:

(field1=val1_1 AND field2=val1_2) OR (field1=val2_1 AND field2=val2_2)  

Using the query field name passes only the values:

(val1_1 AND val1_2) OR (val2_1 AND val2_2)

 

 

 


When rename one fields as query, got `remoteSearch premakeresults 1 ( ( field2="val1_2" AND val1_1 ) )` in inspect job log's remoteSearch.
What I want is `remoteSearch premakeresults 1 ( ( "val1_2" AND val1_1 ) )`

 

 

| makeresults 1 

[ 
    | makeresults 1 
    | eval field1="val1_1" 
    | eval field2="val1_2" 
    | fields field1 field2
    | rename field1 AS query
    ```| rename field2 AS query```
]

 

 


Below post only rename one field as query.
https://community.splunk.com/t5/Splunk-Search/How-to-use-subsearch-without-a-field-name-but-just-wit...
 
@woodcock sorry to bother you, seeing a lot of high quality answers from you, seeking your help here.


Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-07-2023 01:41 AM

Hi

there are couple of ways to test it, but probably easiest way to test it is

index=_audit 
    [| makeresults 
    | eval query="val1_1 AND val1_1" 
    | table query]

Another way is use search instead of query as field name.

Here is one recent post how to do this https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-use-format-to-get/m-p/645818/highlig...

r. Ismo 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-07-2023 01:41 AM

Hi

there are couple of ways to test it, but probably easiest way to test it is

index=_audit 
    [| makeresults 
    | eval query="val1_1 AND val1_1" 
    | table query]

Another way is use search instead of query as field name.

Here is one recent post how to do this https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-use-format-to-get/m-p/645818/highlig...

r. Ismo 

0 Karma
Reply
Solved! Jump to solution

thanchen
Explorer
‎06-07-2023 03:27 AM

The answer is already in the link, sorry I didn't read it carefully at the begining, the discusstion with Giuseppe lead to the same solution.

<your_main_search> 
  [ search <your_secondary_search>
| eval search="(\"" + field1 + "\" AND \"" + field2 + "\")" 

| stats
    values(search) AS searches 
| eval search=mvjoin(searches, " OR ")

| fields search
]

 

Tags (2)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-07-2023 03:32 AM

Hi @thanchen ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-07-2023 01:12 AM

Hi @thanchen ,

you can pass a value from a subsearch without specifying the field name renaming the field as "query", in this way you perform a full text search on the main search events, some thing like this:

<your_main_search> [ search <your_secondary_search> | rename field1 AS query | fields query ]
...

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

thanchen
Explorer
‎06-07-2023 01:50 AM

Hi Giuseppe, I tried this, it only gives me `premakeresults 1 ( ( val1_1 ) )`
I need `premakeresults 1 ( ( val1_1 AND val1_2 ) )`

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-07-2023 02:00 AM

Hi @thanchen,

it's not clear for me where you take val1 and val2, anyway, you can use the subsearch two times:

<your_main_search> ([ search <your_secondary_search> | rename field1 AS query | fields query ] OR [ search <your_secondary_search> | rename field2 AS query | fields query ])
...

Ciao.

Giuseppe

Reply
Solved! Jump to solution

thanchen
Explorer
‎06-07-2023 02:20 AM

My example in only a Minimal, Reproducible Example
val1 and val2 comes from two fields field1 and field2
Use the subsearch two times should be a workaround, but if I want three or more, I believe there should be a solution.

And I tried `| rex mode=sed field=search "s/(field1|field2)=//g"` at the end of subsearch, no luck.

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎06-07-2023 02:25 AM

Have you try something like

<your_main_search> 
  [ search <your_secondary_search>
    | eval search=field1 . " AND " . field2
    | table search ]

 

Reply
Solved! Jump to solution

thanchen
Explorer
‎06-07-2023 02:42 AM

Thanks @isoutamo , this one works, but only work for one row output in subsearch

but in real world, we may need more than one row results in subseach, just like the official document shows:

(val1_1 AND val1_2) OR (val2_1 AND val2_2)

https://docs.splunk.com/Documentation/Splunk/8.2.6/Search/Changetheformatofsubsearchresults

cc: @gcusello 

0 Karma
Reply
Solved! Jump to solution

thanchen
Explorer
‎06-07-2023 03:11 AM

Looks by doing below, it could cover the case that have multi rows results in subsearch.

<your_main_search> 
  [ search <your_secondary_search>
| eval search="(\"" + field1 + "\" AND \"" + field2 + "\")" 

| stats
    values(search) AS searches 
| eval search=mvjoin(searches, " OR ")

| fields search
]
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...