Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Passing values from subsearch to Parent Search

ashvinpandey
Contributor
‎12-15-2021 01:27 AM

I am stuck with a query where I am trying to pass the field value from sub search to parent search:

Query: 

 

index=f5 sourcetype="*f5*" earliest=-1d@d latest=d@d
[| inputlookup user where country="US" | fields UserName | rename user_name ]

 

Explanation: The field name which is going to match from the subsearch is the user_name, now in the parent search there are two fields for user that is user_name and Account_name and i need both of them in the end result (user_name contains internal users/ Account_name contains external users).
I tried using coalesce to merge both the fields in the parent search but eval pops an error.

Can anyone please help me in solving this problem ?

Labels (2)
Labels
Tags (1)
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎12-15-2021 04:55 AM

Hi @ashvinpandey 
i am not sure if i understand your problem correctly... but, still... i think this should be helpful to your problem...

index=f5 sourcetype="*f5*" earliest=-1d@d latest=d@d
[| inputlookup user where country="US" | fields UserName | rename UserName as user_name | return user_name ]

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-15-2021 03:25 AM

I'm not exactly sure what you're trying to achieve. What should the subsearch resolve to?

user_name="internal_user" AND Account_name="external-user"

Just do your subsearch to include those two fields. If it's the same value, just add

| eval Account_name=user_name

at the end of your subsearch.

If they are supposed to have different values, you have to look them up of course on their own. Can't tell you how though without knowing the lokup and its structure.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-15-2021 02:37 AM
Hi
Have you already try return? https://docs.splunk.com/Documentation/Splunk/8.2.3/SearchReference/Return
r. Ismo
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...