Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Problems with search and join command
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to run a search that show's both bytes_in and bytes_rec for the network card. Here is my search -
source="Perfmon:Network Interface" host=stbackup06 counter="Bytes Sent/sec"|stats avg(Value) AS Bytes_in by host|join host[source="Perfmon:Network Interface" host=stbackup06 counter="Bytes Recieved/sec"|stats avg(Value) AS Bytes_Rec by host]|timechart avg(Bytes_in) avg(Bytes_Rec)
The error I get is Search operation 'source' is unknown. You might not have permission to run this operation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In subsearches, unlike in the "main" search pipeline, you need to explicitly state the command that should run at the start, which means you need to start off with "search", so for instance [search source ...
So, this should work (at least the subsearch should, I haven't looked deep into your join operation tbh):
source="Perfmon:Network Interface" host=stbackup06 counter="Bytes Sent/sec"|stats avg(Value) AS Bytes_in by host|join host [search source="Perfmon:Network Interface" host=stbackup06 counter="Bytes Recieved/sec"|stats avg(Value) AS Bytes_Rec by host]|timechart avg(Bytes_in) avg(Bytes_Rec)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you need to start the subsearch with "search" like below
source="Perfmon:Network Interface" host=stbackup06 counter="Bytes Sent/sec"|stats avg(Value) AS Bytes_in by host|join host[search source="Perfmon:Network Interface" host=stbackup06 counter="Bytes Recieved/sec"|stats avg(Value) AS Bytes_Rec by host]|timechart avg(Bytes_in) avg(Bytes_Rec)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to put the word "search" explicitly in your subsearch: [search source=...
You could also try counter="Bytes Sent/sec" OR counter="Bytes Received/sec" and cut out the subsearch entirely. Might need to fiddle with the rest of the command some.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In subsearches, unlike in the "main" search pipeline, you need to explicitly state the command that should run at the start, which means you need to start off with "search", so for instance [search source ...
So, this should work (at least the subsearch should, I haven't looked deep into your join operation tbh):
source="Perfmon:Network Interface" host=stbackup06 counter="Bytes Sent/sec"|stats avg(Value) AS Bytes_in by host|join host [search source="Perfmon:Network Interface" host=stbackup06 counter="Bytes Recieved/sec"|stats avg(Value) AS Bytes_Rec by host]|timechart avg(Bytes_in) avg(Bytes_Rec)
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas
Analytics Workspace deprecation
Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform
