Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search based on results of another search?

lnetherton
Engager
‎03-06-2014 08:37 AM

Is it possible to perform a search on a whole dataset using a subset of terms from a previous search?

For example, I have a search that yields all the failed transactions based on an event type:

sourcetype=catalina* eventtype=search_fail

I get back rows in the following form:

Mar 6, 2014 12:24:38 AM api.core.helper.LogHelper severe SEVERE: There was an error for search_id=530959

These rows all contain a search_id number. I would like to then initiate a new search for any search_id equal to these values, so that I can see all events leading up to these failures. Is that possible?

I have tried various things like:

sourcetype=catalina* eventtype=search_fail | search search_id
sourcetype=catalina* eventtype=search_fail | search search_id=search_id
sourcetype=catalina* eventtype=search_fail [ search search_id ]
...

But nothing seems to do what I am after.

Tags (1)
Reply

lnetherton
Engager
‎03-06-2014 09:03 AM

Actually, I've figured it out. I needed to use the fields operator to specifically select only the field that I want to use to search (search_id in my case). I also misunderstood the way that subsearches work -- it is important to know that the subsearch is evaluated first, and the result used to augment the outer search.

This search term ended up doing what I wanted:

sourcetype=catalina* [ search sourcetype=catalina* eventtype=search_fail | fields + search_id ]

It was useful to know that the sub-search operation implicitly appends a | format operator on to the end. Combined with the fields + search_id operation, the sub-search term is effectively expanded to something like this:

sourcetype=catalina* ( ( search_id="530959" ) OR ( search_id="529947" ) OR ( search_id="529938" ) OR ( search_id="529919" ) OR ( search_id="529793" ) OR ( search_id="529792" ) OR ( search_id="529568" ) OR ( search_id="529559" ) )

which of course produces the output that I was after.

Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-25-2020 07:44 AM
Please remember that there are row and time out limits for sub searches.... Sometimes those will hit if you are have two many rows in sub search. In those cases you must divide this search to two part e.g. first create lookup and then queries values from it on the actual search.
R. Ismo
0 Karma
Reply

slw07gdev
Explorer
‎06-25-2020 03:25 AM

You're the real MVP. 

0 Karma
Reply

butzowj
Path Finder
‎04-20-2016 12:21 PM

Wanted to thank you for this. I as able to use your example to solve a problem I had, and you also helped me understand how subsearches work!

Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...