Keeping field of subsearch

javo · ‎02-19-2013

How can I keep fields of a subsearch so I can add them to a table with the end result? I tried with no success

... [ ... | fields + foo, bar] | table fieldX, fieldY, foo, bar

The problem is that the subsearch runs on one log file, and the main search runs on a different log with other fields. Field foo is in both logs but field bar is not. So when I call foo it is shown from main log but I can't find the way to keep field bar from the subsearch log.

martin_mueller · ‎02-19-2013

In general adding fields from a second source based on a shared field is a join: http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Join

javo · ‎02-20-2013

sourcetype=asdf content=oops [search sourcetype=fdsa fish=-88 | fields location] | table location, content, problem, paper

being problem and paper the two fields in subsearch log I want to show in the table.

martin_mueller · ‎02-19-2013

Here's a generic example of a join:

| gentimes start=-1 increment=5m | eval foo = starttime % 10800 | fields + starttime foo | join type=left [gentimes start=-1 increment=1h | eval foo = starttime % 10800 | eval bar = 42 | fields + foo bar]

Ayn · ‎02-19-2013

You haven't provided us with a full search so it's hard to give you more advice on how you could rewrite your query.

javo · ‎02-19-2013

I'm not sure if this is what I need. Any example please?

Keeping field of subsearch

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?