Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Subsearch: Returning the results from the subs...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to return the results from a subsearch alongside the results of the outer/primary search?
[search earliest=-14d@d latest=-0d@d (ns=email msg=send gender=f tid=*74) OR (msg=eis direction=sent gender=f) | transaction uid startswith=(msg="eis") maxspan=60m | eval emailsReceived = eventcount - 1 | where emailsReceived > 15 | fields uid] earliest=-14d@d latest=-0d@d ns=email msg=email_unsub_click | stats count by msg
Of course, I can run the subsearch portion as a separate query, but it would be nice to return the results along side the outer search. Is this possible?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi metersk,
Try with appendcols command like this :
`Your primary search' | join [search earliest=-14d@d latest=-0d@d (ns=email msg=send gender=f tid=*74) OR (msg=eis direction=sent gender=f) | transaction uid startswith=(msg="eis") maxspan=60m | eval emailsReceived = eventcount - 1 | where emailsReceived > 15 | fields uid] earliest=-14d@d latest=-0d@d ns=email msg=email_unsub_click | stats count by msg |appendcols [search earliest=-14d@d latest=-0d@d (ns=email msg=send gender=f tid=*74) OR (msg=eis direction=sent gender=f) | transaction uid startswith=(msg="eis") maxspan=60m | eval emailsReceived = eventcount - 1 | where emailsReceived > 15 | fields uid]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi metersk,
Try with appendcols command like this :
`Your primary search' | join [search earliest=-14d@d latest=-0d@d (ns=email msg=send gender=f tid=*74) OR (msg=eis direction=sent gender=f) | transaction uid startswith=(msg="eis") maxspan=60m | eval emailsReceived = eventcount - 1 | where emailsReceived > 15 | fields uid] earliest=-14d@d latest=-0d@d ns=email msg=email_unsub_click | stats count by msg |appendcols [search earliest=-14d@d latest=-0d@d (ns=email msg=send gender=f tid=*74) OR (msg=eis direction=sent gender=f) | transaction uid startswith=(msg="eis") maxspan=60m | eval emailsReceived = eventcount - 1 | where emailsReceived > 15 | fields uid]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Um, "maybe", depending on your exact use case.
The canonical use case for a subsearch is to define a filter for the outer search. The subsearch runs and its output is transmogrified (via the format command) into SPL. So the output of a subsearch looks something like:
( ( uid = AAA ) OR ( uid = BBB ) OR ( uid = CCC ) )
The output of the subsearch text-replaces the [ $SUBSEARCH ] part of the outer search. This isn't exactly useful for you "as search results" because it's been transformed. And because of the text-replacement approach, the subsearch MUST run to completion before the outer search can begin.
For some use cases with subsearches - where you're not trying to use a subsearch as a filter for the primary search, you might find the multisearch command useful:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multisearch
This lets you run multiple searches in parallel and return results simultaneously. However, as I understand your use case above this is probably not that useful in this example.
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
