Splunk Search

How to use subsearch without a field name? (but just with field value for more than one fileld)

thanchen
Explorer

Here is the document, but how?

https://docs.splunk.com/Documentation/Splunk/8.2.6/Search/Changetheformatofsubsearchresults

 

 

 

Using the query field name
Use the query field name when you want the values in the fields returned from the subsearch, but not the field names.

The query field name is similarly to using the format command. Instead of passing the field and value pairs to the main search, such as:

(field1=val1_1 AND field2=val1_2) OR (field1=val2_1 AND field2=val2_2)  

Using the query field name passes only the values:

(val1_1 AND val1_2) OR (val2_1 AND val2_2) 

 

 

 


When rename one fields as query, got `remoteSearch premakeresults 1 ( ( field2="val1_2" AND val1_1 ) )` in inspect job log's remoteSearch.
What I want is `remoteSearch premakeresults 1 ( ( "val1_2" AND val1_1 ) )`

 

 

| makeresults 1 

[ 
    | makeresults 1 
    | eval field1="val1_1" 
    | eval field2="val1_2" 
    | fields field1 field2
    | rename field1 AS query
    ```| rename field2 AS query```
]

 

 


Below post only rename one field as query.
https://community.splunk.com/t5/Splunk-Search/How-to-use-subsearch-without-a-field-name-but-just-wit...
 
@woodcock sorry to bother you, seeing a lot of high quality answers from you, seeking your help here.


Labels (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

there are couple of ways to test it, but probably easiest way to test it is

index=_audit 
    [| makeresults 
    | eval query="val1_1 AND val1_1" 
    | table query]

Another way is use search instead of query as field name.

Here is one recent post how to do this https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-use-format-to-get/m-p/645818/highlig...

r. Ismo 

View solution in original post

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

there are couple of ways to test it, but probably easiest way to test it is

index=_audit 
    [| makeresults 
    | eval query="val1_1 AND val1_1" 
    | table query]

Another way is use search instead of query as field name.

Here is one recent post how to do this https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-use-format-to-get/m-p/645818/highlig...

r. Ismo 

0 Karma

thanchen
Explorer

The answer is already in the link, sorry I didn't read it carefully at the begining, the discusstion with Giuseppe lead to the same solution.

<your_main_search> 
  [ search <your_secondary_search>
| eval search="(\"" + field1 + "\" AND \"" + field2 + "\")" 

| stats
    values(search) AS searches 
| eval search=mvjoin(searches, " OR ")

| fields search
]

 

Tags (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @thanchen ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

gcusello
SplunkTrust
SplunkTrust

Hi @thanchen ,

you can pass a value from a subsearch without specifying the field name renaming the field as "query", in this way you perform a full text search on the main search events, some thing like this:

<your_main_search> [ search <your_secondary_search> | rename field1 AS query | fields query ]
...

Ciao.

Giuseppe

0 Karma

thanchen
Explorer

Hi Giuseppe, I tried this, it only gives me `premakeresults 1 ( ( val1_1 ) )`
I need `premakeresults 1 ( ( val1_1 AND val1_2 ) )`

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @thanchen,

it's not clear for me where you take val1 and val2, anyway, you can use the subsearch two times:

<your_main_search> ([ search <your_secondary_search> | rename field1 AS query | fields query ] OR [ search <your_secondary_search> | rename field2 AS query | fields query ])
...

Ciao.

Giuseppe

thanchen
Explorer

My example in only a Minimal, Reproducible Example
val1 and val2 comes from two fields field1 and field2
Use the subsearch two times should be a workaround, but if I want three or more, I believe there should be a solution.

And I tried `| rex mode=sed field=search "s/(field1|field2)=//g"` at the end of subsearch, no luck.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Have you try something like

<your_main_search> 
  [ search <your_secondary_search>
    | eval search=field1 . " AND " . field2
    | table search ] 

 

thanchen
Explorer

Thanks @isoutamo , this one works, but only work for one row output in subsearch

but in real world, we may need more than one row results in subseach, just like the official document shows:

(val1_1 AND val1_2) OR (val2_1 AND val2_2) 

https://docs.splunk.com/Documentation/Splunk/8.2.6/Search/Changetheformatofsubsearchresults

cc: @gcusello 

0 Karma

thanchen
Explorer

Looks by doing below, it could cover the case that have multi rows results in subsearch.

<your_main_search> 
  [ search <your_secondary_search>
| eval search="(\"" + field1 + "\" AND \"" + field2 + "\")" 

| stats
    values(search) AS searches 
| eval search=mvjoin(searches, " OR ")

| fields search
]
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...