Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Subsearch: Returning the results from the subsearch and outer/primary search simultaneously.

metersk
Path Finder
‎04-06-2015 08:48 AM

Is it possible to return the results from a subsearch alongside the results of the outer/primary search?

[search earliest=-14d@d latest=-0d@d (ns=email msg=send gender=f  tid=*74) OR (msg=eis direction=sent gender=f) | transaction uid startswith=(msg="eis") maxspan=60m | eval emailsReceived = eventcount - 1 | where emailsReceived > 15 | fields uid] earliest=-14d@d latest=-0d@d ns=email msg=email_unsub_click | stats count by msg

Of course, I can run the subsearch portion as a separate query, but it would be nice to return the results along side the outer search. Is this possible?

Reply
1 Solution
Solved! Jump to solution
Solution

ngatchasandra
Builder
‎04-06-2015 09:28 AM

Hi metersk,

Try with appendcols command like this :

`Your primary search' | join  [search earliest=-14d@d latest=-0d@d (ns=email msg=send gender=f  tid=*74) OR (msg=eis direction=sent gender=f) | transaction uid startswith=(msg="eis") maxspan=60m | eval emailsReceived = eventcount - 1 | where emailsReceived > 15 | fields uid] earliest=-14d@d latest=-0d@d ns=email msg=email_unsub_click | stats count by msg  |appendcols  [search earliest=-14d@d latest=-0d@d (ns=email msg=send gender=f  tid=*74) OR (msg=eis direction=sent gender=f) | transaction uid startswith=(msg="eis") maxspan=60m | eval emailsReceived = eventcount - 1 | where emailsReceived > 15 | fields uid]

View solution in original post

Reply
Solved! Jump to solution
Solution

ngatchasandra
Builder
‎04-06-2015 09:28 AM

Hi metersk,

Try with appendcols command like this :

`Your primary search' | join  [search earliest=-14d@d latest=-0d@d (ns=email msg=send gender=f  tid=*74) OR (msg=eis direction=sent gender=f) | transaction uid startswith=(msg="eis") maxspan=60m | eval emailsReceived = eventcount - 1 | where emailsReceived > 15 | fields uid] earliest=-14d@d latest=-0d@d ns=email msg=email_unsub_click | stats count by msg  |appendcols  [search earliest=-14d@d latest=-0d@d (ns=email msg=send gender=f  tid=*74) OR (msg=eis direction=sent gender=f) | transaction uid startswith=(msg="eis") maxspan=60m | eval emailsReceived = eventcount - 1 | where emailsReceived > 15 | fields uid]
Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎04-06-2015 09:25 AM

Um, "maybe", depending on your exact use case.

The canonical use case for a subsearch is to define a filter for the outer search. The subsearch runs and its output is transmogrified (via the format command) into SPL. So the output of a subsearch looks something like:

(  ( uid = AAA ) OR ( uid = BBB ) OR ( uid = CCC ) )

The output of the subsearch text-replaces the [ $SUBSEARCH ] part of the outer search. This isn't exactly useful for you "as search results" because it's been transformed. And because of the text-replacement approach, the subsearch MUST run to completion before the outer search can begin.

For some use cases with subsearches - where you're not trying to use a subsearch as a filter for the primary search, you might find the multisearch command useful:

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multisearch

This lets you run multiple searches in parallel and return results simultaneously. However, as I understand your use case above this is probably not that useful in this example.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...