Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How would I use multiple values from a subsearch a...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I am looking for a query which will accept multiple value subsearch output as a input of main serach, See below :
index=myIndex UniqueReqId in [ search index=myIndex MyLogger | dedup UniqueReqId | stats count(UniqueReqId) as "Total user" by UniqueReqId ]
This sub search "search index=myIndex MyLogger | dedup UniqueReqId | stats count(UniqueReqId) as "Total user" by UniqueReqId" will return multiple value like below :
UniqueReqId Total user
002cc2c7-b1e4-49de-bbd3-caa6c2e741e3 1
00426627-98cf-4dd5-97b6-af4cde045286 1
00567c49-5638-4a0c-a803-04d0b3662aac 1
006ef351-33b8-40ed-b320-28473ea1f481 1
00caf75c-deed-4581-ab5a-04929b1a943d 1
00ff69ef-d57c-43ad-9b64-38cf39b94f6f 1
01395957-648b-4e9a-ac76-7fa68f833fce 1
01e82329-3d58-4d11-bdca-88100a2dc85c 1
02084578-869a-4ce5-bc20-b86c3fea34d2 1
021272cb-c043-483f-8512-244210471c63 1
02191c34-b485-4a6d-9d77-53f0a8e7875c 1
0228ff59-27f8-47e1-a38f-88acdb94fb22 1
028177b6-f2f3-4c53-948e-558d51287d43 1
02be90c8-5737-4f89-a204-2a3ea5f79047 1
02df9ecb-29bf-4aad-b479-26fde9b6ca94 1
02e2ef7f-ea55-4311-b724-c06fe5ab416d 1
02e7bacd-4579-44c6-b4c2-be0a4fbf4566 1
02eb4faa-39c1-431d-9590-a1fabc7eecd8 1
031229db-d4ef-4783-b649-9a1e738d495a 1
03216368-6d8e-42e9-8fb1-e2ace7794f4c 1
Now whatever the value we are getting in column UniqueReqId, we need to use each value one by one to the main query in UniqueReqId=EachValue.
Like Sample example :
index=myIndex UniqueReqId IN [002cc2c7-b1e4-49de-bbd3-caa6c2e741e3,00426627-98cf-4dd5-97b6-af4cde045286,00426627-98cf-4dd5-97b6-af4cde0452dsd,etc]
I searched a lot but did not get the solution for my requirement however got the solution for single value subsearch output as input for main search.
Thanks,
Wasim
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
index=myIndex [ search index=myIndex MyLogger | dedup UniqueReqId | fields UniqueReqId ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
index=myIndex [ search index=myIndex MyLogger | dedup UniqueReqId | fields UniqueReqId ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, This is what i was looking for.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi mdwasimkhan,
If I correctly understood, try something like this
index=myIndex MyLogger [ search index=myIndex UniqueReqId | eval UniqueReqId=upper(UniqueReqId) | dedup UniqueReqId | fields UniqueReqId ]
| stats count as "Total user" by UniqueReqId
In this way you have the event count for each user.
beware that UniqueReqId field must have the same name in both the searches.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I downvoted this post because below is the expected query :
index=myindex [ search index=myindex mylogger | dedup uniquereqid | fields uniquereqid ]
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually I have 2 below logger, In that common field is UniqueReqId only.
LOGGER([UniqueReqId]+[MyLogger])
LOGGER([UniqueReqId]+[userName]+[Action])
So my requirement is i need to find out the UniqueReqId which contains MyLogger.[ This i want to search in sub-search block.]
once i will get the
all possible UniqueReqId in sub-search then We need to find out the userName who is using action=myAction and UniqueReqId=[Multiple UniqueReqId from subsearch].
So fetch the userName from all possible UniqueReqId got from subsearch where action=myAction.
We have multiple actions, so action=MyAction and UniqueReqId=(02191c34-b485,0228ff59,02be90c8,02e2ef7f etc)
MyLogger is not require here, because it does not apear in other logger.
Below command is working fine for me. Thanks Giuseppe 🙂
index=myIndex [ search index=myIndex MyLogger | dedup UniqueReqId | fields UniqueReqId ]
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
