Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Pass fields from base search to subsearch fails

stwong
Communicator
‎10-08-2016 10:28 AM

Hi, I tried to do a base search, then pass fields to subsearch as both a filter and stat columns. I tested with following:

index="_internal" | eval MyUser=user | table MyUser bytes | map search="search index="_audit" user=$MyUser$ | stats values(user), values($MyUser$) as MyUser, values($bytes$) as bytes, values(action) "

user=$MyUser$ works but the columns for fields MyUser and bytes are empty.

Please help. Thanks.

Besides, will there be better and more efficient way to do so?

Thanks a lot.
/ST Wong

0 Karma
Reply

sundareshr
Legend
‎10-09-2016 07:14 AM

What are you trying to do? I don't believe there is a co-relation between user & bytes in _internal AND user & bytes in _audit. Try this search, is this what you're after?

(index=_internal OR index=_audit) | stats values(bytes) as bytes values(action) as actions dc(index) as idx by user | where idx=2
0 Karma
Reply

stwong
Communicator
‎10-09-2016 08:05 AM

Hi, thanks. I just try to do a base search, then pass fields to subsearch as both a filter and stat columns as mentioned. As i don't have much sample data for my trial splunk cloud instance, I just use _internal and _audit to verify the method, for learning the map function. Sorry to cause you confusion.

Thanks.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-09-2016 01:53 AM

Hi stwong,
I had this problem and I think that it's a bug.
I solved it with a workaround, inserting in the base search an eval command with the missed fields: e.g. | eval myfield=myfield
In this way I found the field also in the panel search.
Bye.
Giuseppe

0 Karma
Reply

stwong
Communicator
‎10-09-2016 08:01 AM

Hi Giuseppe,

Thanks, I modified my search as following but doesn't work still:

index="_internal" | eval MyUser=user | table MyUser bytes | eval MyUser=MyUser | eval bytes=bytes | map search="search index="_audit" user=$MyUser$ | stats values(user), values($MyUser$) as MyUser, values($bytes$) as bytes, values(action) "

shall I add the eval statement like that? Thanks again.

Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...