Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Nested subsearches with lookup

Janani_Krish
Path Finder
‎11-01-2021 02:07 AM

I have a query structured like below with main search and sub search where the main search includes lookup,

|inputlookup tci|search tag.name="ap" |rename tag.name as tags|dedup indicator|table indicator confidence rating ownerName tags|union[search sourcetype="cisco:*" action=allowed 
|rename src_ip as indicator|dedup indicator|table indicator confidence rating ownerName tags]|stats count values(confidence) as confidence values(rating) as rating values(ownerName) as ownerName values(tags) as tags by indicator|where count>1|table indicator confidence rating ownerName tags

  I wanted the results of this query to be lookup into one more source type and take out raw data. I have tried the below but it doesn't work,

sourcetype="symantec:*"[|inputlookup tci|search tag.name="ap" |rename tag.name as tags|dedup indicator|table indicator confidence rating ownerName tags|union[search sourcetype="cisco:*" action=allowed 
|rename src_ip as indicator|dedup indicator|table indicator confidence rating ownerName tags]|stats count values(confidence) as confidence values(rating) as rating values(ownerName) as ownerName values(tags) as tags by indicator|where count>1|table indicator confidence rating ownerName tags]|table _raw


Please suggest any alternatives to lookout for source type where we have to derive the result from nested sub searches with lookups.

Labels (3)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-01-2021 03:45 AM

Have you tried using format?

sourcetype="symantec:*" [|inputlookup tci|search tag.name="ap" |rename tag.name as tags|dedup indicator|table indicator confidence rating ownerName tags|union[search sourcetype="cisco:*" action=allowed 
|rename src_ip as indicator|dedup indicator|table indicator confidence rating ownerName tags]|stats count values(confidence) as confidence values(rating) as rating values(ownerName) as ownerName values(tags) as tags by indicator|where count>1|table indicator confidence rating ownerName tags | format ]|table _raw
0 Karma
Reply

Janani_Krish
Path Finder
‎11-01-2021 11:38 PM

Hi @ITWhisperer 

Tried using format now. But this as well is not returning any results although our inner sub search is returning results.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...