Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Subsearch in SPLUNK with the name of index

SplunkDash
Motivator
‎05-01-2024 06:51 AM

Hello, 

I have a use case to get the index name from the field of one of the index/sourcetype and use that index name value to search the content of that index, but not getting any result. Here is what I did:

index =meta_info sourcetype=meta:info| search group_name=admingr AND spIndex_name=admin_audit

| eval getIndex=spIndex_name
| search index=getIndex

Any help will be highly appreciated, thank you!

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎05-01-2024 04:35 PM

The you should use the index with list of indexes to search as the subsearch, i.e. put your meta search in the subsearch and it will return the index you want.

[ 
  | search index=meta_info sourcetype=meta:info
  | search group_name=admingr AND spIndex_name=admin_audit
  | rename spIndex_name as index
  | fields index
]

In the form above, it's totally hard coded, but I assume the spIndex_name= statement is variable.

 

View solution in original post

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎05-01-2024 03:45 PM

Your search is a little odd - it seems you just want to search index=admin_audit - so what's the purpose of the index=meta_info part 

what's wrong with just

index=admin_audit

 

Reply
Solved! Jump to solution

SplunkDash
Motivator
‎05-01-2024 04:05 PM

@bowesmana @richgalloway;,

We have an index that contains the list of index names; so, one search is going to get the index name from that index; other search is going to search the events (or get the events) within that index. A very interesting use case. But customer wants it. 

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎05-01-2024 04:35 PM

The you should use the index with list of indexes to search as the subsearch, i.e. put your meta search in the subsearch and it will return the index you want.

[ 
  | search index=meta_info sourcetype=meta:info
  | search group_name=admingr AND spIndex_name=admin_audit
  | rename spIndex_name as index
  | fields index
]

In the form above, it's totally hard coded, but I assume the spIndex_name= statement is variable.

 

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-01-2024 07:21 AM

The search command doesn't handle field names on both sides of the equals sign.  Use where, instead.

index =meta_info sourcetype=meta:info| search group_name=admingr AND spIndex_name=admin_audit
| eval getIndex=spIndex_name
| where index=getIndex

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

SplunkDash
Motivator
‎05-01-2024 07:35 AM

Hey @richgalloway

Thank you for your quick response. But it's not working, not getting any result. Just to let you know  spIndex_name is the name of the index and also eval value getIndex is not returning the index name admin_audit.

Tags (1)
0 Karma
Reply
Solved! Jump to solution

SplunkDash
Motivator
‎05-01-2024 08:22 AM

Hello @richgalloway 

getIndex should should return value admin_audit from the eval; search at the end should return the content/events  of the index admin_audit

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...