Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Passing subsearch reporting command results to the outer search

oreoshake
Communicator
‎06-03-2010 11:47 PM 
 sourcetype=package_formatted [search sourcetype=package_formatted | stats dc(version) as version_test by name | search version_test>1 | fields name] | dedup host | stats values(version) by name

Basically what I'm trying to do is figure out which packages are installed and see if they are of consistent version numbers across the infrastructure. 

sourcetype=package_formatted | stats dc(version) as version_test by name | search version_test>1

Works fine, only returns the packages where more than one version exists, but I noticed the fields command at the end didn't have an effect (all fields were returned). But when I put it in the subsearch, I'm getting back "name"s which weren't in the subsearch.

So is a reporting function like stats ignored and only the raw results are used?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎06-04-2010 04:38 PM

The subsearch here never returns results or events to the outer search, it just adds search terms. Putting the fields command in the subsearch makes sure that the boolean expression that the subsearch emits looks like:

name=name_1 OR name=name_2 OR name=_name3 ...

As opposed to: (name=name_1 AND version_test=version_test1) OR (name=name_2 AND version_test=version_test2) ...

However, either way wouldn't cause the outer search to give "name"s not in the subsearch.

If you want to find the packages that are inconsistent and the hosts they are on, you probably don't even need the subsearch:

sourcetype=package_formatted | stats dc(version) as version_count values(version) as versions values(host) as hosts by name | search version_count>1 | fields - version_count

What would you like your final table of results to look like?

View solution in original post

Reply
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎06-04-2010 04:38 PM

The subsearch here never returns results or events to the outer search, it just adds search terms. Putting the fields command in the subsearch makes sure that the boolean expression that the subsearch emits looks like:

name=name_1 OR name=name_2 OR name=_name3 ...

As opposed to: (name=name_1 AND version_test=version_test1) OR (name=name_2 AND version_test=version_test2) ...

However, either way wouldn't cause the outer search to give "name"s not in the subsearch.

If you want to find the packages that are inconsistent and the hosts they are on, you probably don't even need the subsearch:

sourcetype=package_formatted | stats dc(version) as version_count values(version) as versions values(host) as hosts by name | search version_count>1 | fields - version_count

What would you like your final table of results to look like?

Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...