Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Subsearch: Returning the results from the subsearc...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to return the results from a subsearch alongside the results of the outer/primary search?
[search earliest=-14d@d latest=-0d@d (ns=email msg=send gender=f tid=*74) OR (msg=eis direction=sent gender=f) | transaction uid startswith=(msg="eis") maxspan=60m | eval emailsReceived = eventcount - 1 | where emailsReceived > 15 | fields uid] earliest=-14d@d latest=-0d@d ns=email msg=email_unsub_click | stats count by msg
Of course, I can run the subsearch portion as a separate query, but it would be nice to return the results along side the outer search. Is this possible?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi metersk,
Try with appendcols command like this :
`Your primary search' | join [search earliest=-14d@d latest=-0d@d (ns=email msg=send gender=f tid=*74) OR (msg=eis direction=sent gender=f) | transaction uid startswith=(msg="eis") maxspan=60m | eval emailsReceived = eventcount - 1 | where emailsReceived > 15 | fields uid] earliest=-14d@d latest=-0d@d ns=email msg=email_unsub_click | stats count by msg |appendcols [search earliest=-14d@d latest=-0d@d (ns=email msg=send gender=f tid=*74) OR (msg=eis direction=sent gender=f) | transaction uid startswith=(msg="eis") maxspan=60m | eval emailsReceived = eventcount - 1 | where emailsReceived > 15 | fields uid]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi metersk,
Try with appendcols command like this :
`Your primary search' | join [search earliest=-14d@d latest=-0d@d (ns=email msg=send gender=f tid=*74) OR (msg=eis direction=sent gender=f) | transaction uid startswith=(msg="eis") maxspan=60m | eval emailsReceived = eventcount - 1 | where emailsReceived > 15 | fields uid] earliest=-14d@d latest=-0d@d ns=email msg=email_unsub_click | stats count by msg |appendcols [search earliest=-14d@d latest=-0d@d (ns=email msg=send gender=f tid=*74) OR (msg=eis direction=sent gender=f) | transaction uid startswith=(msg="eis") maxspan=60m | eval emailsReceived = eventcount - 1 | where emailsReceived > 15 | fields uid]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Um, "maybe", depending on your exact use case.
The canonical use case for a subsearch is to define a filter for the outer search. The subsearch runs and its output is transmogrified (via the format command) into SPL. So the output of a subsearch looks something like:
( ( uid = AAA ) OR ( uid = BBB ) OR ( uid = CCC ) )
The output of the subsearch text-replaces the [ $SUBSEARCH ] part of the outer search. This isn't exactly useful for you "as search results" because it's been transformed. And because of the text-replacement approach, the subsearch MUST run to completion before the outer search can begin.
For some use cases with subsearches - where you're not trying to use a subsearch as a filter for the primary search, you might find the multisearch command useful:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multisearch
This lets you run multiple searches in parallel and return results simultaneously. However, as I understand your use case above this is probably not that useful in this example.
Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!
Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console
Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!
