Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to edit the output given by sub search?

Callum_f
Explorer
‎06-21-2022 09:01 PM

I have a sub query that gives the output example below 

Sub Query

 [ search index=prod_diamond sourcetype=CloudWatch_logs source=*downloadInvoice* AND *error* NOT ("lambda-warmer") 
| fields error.requestId 
| rename error.requestId as requestId 
| dedup requestId 
| format ]

Output

( requestId="jjadjdfjjedd_jehdfjdjfhj" ) OR ( requestId="jgjfnfdn_jrhfjdbfd" )....

I need to edit the format that is returned from the first query. 

 

Is there a way to change the search to something less specific? Such as

(*jjadjdfjjedd_jehdfjdjfhj*) OR (*jgjfnfdn_jrhfjdbfd*) .....

As I need to find all events that include the requestId, not just when it is specific to that variable.

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-21-2022 10:41 PM

Try like this

 [ search index=prod_diamond sourcetype=CloudWatch_logs source=*downloadInvoice* AND *error* NOT ("lambda-warmer") 
| fields error.requestId 
| rename error.requestId as query
| dedup query
| format ]

The query field is treated differently

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-21-2022 10:41 PM

Try like this

 [ search index=prod_diamond sourcetype=CloudWatch_logs source=*downloadInvoice* AND *error* NOT ("lambda-warmer") 
| fields error.requestId 
| rename error.requestId as query
| dedup query
| format ]

The query field is treated differently

Reply
Solved! Jump to solution

Callum_f
Explorer
‎06-21-2022 11:06 PM


@ITWhisperer It works thank you very much 🙂

I need to search over the last 30 days but it seems to crash with a time of over 24 hours. Is there a way to break the search up so it can run as the sub search is giving a large number of values that are then searched on. 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-21-2022 11:12 PM

You could try this

 [ search index=prod_diamond sourcetype=CloudWatch_logs source=*downloadInvoice* AND *error* NOT ("lambda-warmer") earliest=-1d@d latest=@d
| fields error.requestId 
| rename error.requestId as query
| dedup query
| format ] OR
 [ search index=prod_diamond sourcetype=CloudWatch_logs source=*downloadInvoice* AND *error* NOT ("lambda-warmer") earliest=-2d@d latest=-1d@d
| fields error.requestId 
| rename error.requestId as query
| dedup query
| format ] OR
 [ search index=prod_diamond sourcetype=CloudWatch_logs source=*downloadInvoice* AND *error* NOT ("lambda-warmer") earliest=-3d@d latest=-2d@d
| fields error.requestId 
| rename error.requestId as query
| dedup query
| format ]
etc.

Or perhaps you need to approach it a different way to eliminate the subsearch or make your 30 day search the main search and your other search the subsearch

0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Observability - October 2025

What’s New?    We’re excited to announce the latest enhancements to Splunk Observability Cloud and share ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...