Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Keeping field of subsearch

javo
Explorer
‎02-19-2013 06:09 AM

How can I keep fields of a subsearch so I can add them to a table with the end result? I tried with no success

... [ ... | fields + foo, bar] | table fieldX, fieldY, foo, bar

The problem is that the subsearch runs on one log file, and the main search runs on a different log with other fields. Field foo is in both logs but field bar is not. So when I call foo it is shown from main log but I can't find the way to keep field bar from the subsearch log.

Tags (3)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-19-2013 06:23 AM

In general adding fields from a second source based on a shared field is a join: http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Join

Reply

javo
Explorer
‎02-20-2013 07:12 AM

sourcetype=asdf content=oops [search sourcetype=fdsa fish=-88 | fields location] | table location, content, problem, paper

being problem and paper the two fields in subsearch log I want to show in the table.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-19-2013 01:00 PM

Here's a generic example of a join:

| gentimes start=-1 increment=5m | eval foo = starttime % 10800 | fields + starttime foo | join type=left [gentimes start=-1 increment=1h | eval foo = starttime % 10800 | eval bar = 42 | fields + foo bar]
Reply

Ayn
Legend
‎02-19-2013 12:35 PM

You haven't provided us with a full search so it's hard to give you more advice on how you could rewrite your query.

0 Karma
Reply

javo
Explorer
‎02-19-2013 11:46 AM

I'm not sure if this is what I need. Any example please?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...