Splunk Search

Iterative subsearch (iterative OR search, at any rate)

howyagoin
Contributor

Looking for a sanity check here. I want to search my Splunk for a long list of field values (essentially, an OR for each value) and the best way to get that list of values is by searching for them.

So a subsearch seemed like the right path to travel, but yields no hits, so I'm unsure if that's my search or my data.

I've tried:

index=main [ search index=pp "item purchased" 
| rex field=_raw "obtained (?\w+)" 
| fields item ]

With and without a | format at the end (based on searching here for others tryign to do what I am trying to do), or changing my wildcard * search for item="*" and so on.

Basically, I want to find every occurrence in my Splunk for each item purchased. I'm sure this is easy to do, I'm just missing something obvious.

Tags (1)
1 Solution

sideview
SplunkTrust
SplunkTrust

Say there are three results in the subsearch, it will come out into the main search clause looking like:

index=main ( item=A OR item=B OR item=C )

And I suspect that you dont want to search for a field called 'item', but you instead want to just search for (A OR B OR C). This is a little clunky but how you do that in a Splunk subsearch is you rename the field to either 'search' or 'query'.

index=main [ search index=pp "item purchased" 
| rex field=_raw "obtained (?<item>\w+)" 
| fields item | rename item as search]

View solution in original post

sideview
SplunkTrust
SplunkTrust

Say there are three results in the subsearch, it will come out into the main search clause looking like:

index=main ( item=A OR item=B OR item=C )

And I suspect that you dont want to search for a field called 'item', but you instead want to just search for (A OR B OR C). This is a little clunky but how you do that in a Splunk subsearch is you rename the field to either 'search' or 'query'.

index=main [ search index=pp "item purchased" 
| rex field=_raw "obtained (?<item>\w+)" 
| fields item | rename item as search]

carasso
Splunk Employee
Splunk Employee

Yes, my bad. "| return -1 $item" will return "val1 OR val2 OR val3", while "| return -1 item" will return "item=val1 OR item=val2 OR item=val3"

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Based on the above discussion, I think that regarding carasso's answer, the return command should be

... | return -1 $item ...

rather than

... | return -1 item ...

which does what renaming the item field to search does.

0 Karma

carasso
Splunk Employee
Splunk Employee

simpler. replace the 'fields' and 'rename' with 'return', which also removes duplicates:

index=main [ search index=pp "item purchased"
| rex field=_raw "obtained (?\w+)"
| return -1 item]

0 Karma

howyagoin
Contributor

Great, Nick, thanks. By changing this to "as query" rather than "as search" the magic happened. From 0 hits to 81,000, just like that. Thanks!

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...