Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Subsearch help

mburbidg
Explorer
‎02-03-2012 05:31 PM

I have two different kinds of events. I would like to relate the two. The first event looks like this.

[2012-02-02 20:17:51,931] INFO - sessionId=8AD487DD-DB3F-4C3E-AB9A-302ABF05E6FC code=NewsStandPushNotificationReceived externalSignInStatus=true

The second looks like this.

[2012-02-02 20:18:03,050] INFO - sessionId=8AD487DD-DB3F-4C3E-AB9A-302ABF05E6FC code=NewsStandPushCompleted startedBackgroundDownload=true

I would like to find all the sessionIds where startedBackgroundDownload=false from the second event and externalSignInStatus=true from the first event.

I think I would be able to do this with a subsearch, but nothing I've tried has resulted in anything but 0 matching events. Can anyone help me with a subsearch that would do what I need?

Tags (1)
0 Karma
Reply

Damien_Dallimor
Ultra Champion
‎02-03-2012 09:27 PM

Duplicate post , answered here :

http://splunk-base.splunk.com/answers/40056/help-with-subsearch

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...