Looking for a sanity check here. I want to search my Splunk for a long list of field values (essentially, an OR for each value) and the best way to get that list of values is by searching for them.
So a subsearch seemed like the right path to travel, but yields no hits, so I'm unsure if that's my search or my data.
I've tried:
index=main [ search index=pp "item purchased" | rex field=_raw "obtained (?- \w+)" | fields item ]
With and without a | format at the end (based on searching here for others tryign to do what I am trying to do), or changing my wildcard * search for item="*" and so on.
Basically, I want to find every occurrence in my Splunk for each item purchased. I'm sure this is easy to do, I'm just missing something obvious.
Say there are three results in the subsearch, it will come out into the main search clause looking like:
index=main ( item=A OR item=B OR item=C )
And I suspect that you dont want to search for a field called 'item', but you instead want to just search for (A OR B OR C)
. This is a little clunky but how you do that in a Splunk subsearch is you rename the field to either 'search' or 'query'.
index=main [ search index=pp "item purchased"
| rex field=_raw "obtained (?<item>\w+)"
| fields item | rename item as search]
Say there are three results in the subsearch, it will come out into the main search clause looking like:
index=main ( item=A OR item=B OR item=C )
And I suspect that you dont want to search for a field called 'item', but you instead want to just search for (A OR B OR C)
. This is a little clunky but how you do that in a Splunk subsearch is you rename the field to either 'search' or 'query'.
index=main [ search index=pp "item purchased"
| rex field=_raw "obtained (?<item>\w+)"
| fields item | rename item as search]
Yes, my bad. "| return -1 $item" will return "val1 OR val2 OR val3", while "| return -1 item" will return "item=val1 OR item=val2 OR item=val3"
Based on the above discussion, I think that regarding carasso's answer, the return
command should be
... | return -1 $item ...
rather than
... | return -1 item ...
which does what renaming the item
field to search
does.
simpler. replace the 'fields' and 'rename' with 'return', which also removes duplicates:
index=main [ search index=pp "item purchased"
| rex field=_raw "obtained (?
| return -1 item]
Great, Nick, thanks. By changing this to "as query" rather than "as search" the magic happened. From 0 hits to 81,000, just like that. Thanks!