Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Subsearch in search command not returning results

msarro
Builder
‎04-03-2013 09:02 AM

Hey everyone, I am pretty sure this is a simple question, but I'd appreciate a sanity check.

When I run the following command I get a list of values (2910 results, suppose one value is the string "ReturnedValueX"):

index=mysearchindex host=myserver* My_Field="901089187"|table MY_OTHER_FIELD

When i try to run it as a subsearch to another search command however, I get 0 results.

index=myothersearchindex host="myserver*" [search index=mysearchindex host=myserver* My_Field="901089187"|table MY_OTHER_FIELD]

BUT, if I take one of the values from MY_OTHER_FIELD and use it as a string in the search command like this I get results:

index=myothersearchindex host="myserver*" "ReturnedValueX"

The only possible issues I can think of are:
1) The number of results from the subsearch is too high
2) There are no defined fields in index=myothersearchindex, just raw log data. The goal is to take the list of string values from the subsearch and use it to limit the results of the outer search.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bmacias84
Champion
‎04-03-2013 09:56 AM

Hello msarro,

I think I see what you are trying to do which is to pass the values up from a subsearch to main search. For this you will need the to use the return command. By default return only returns one value, but you can increase that. There are performance implications to increases the return value.

Here is my example not knowing your data. 



index=myothersearchindex host="myserver*" [search index=mysearchindex host=myserver* My_Field="901089187"|return 10 MY_OTHER_FIELD]

What your search is accually looks like.



index=myothersearchindex host="myserver*" MY_OTHER_FIELD="Value1" OR MY_OTHER_FIELD="Value2" OR MY_OTHER_FIELD="Value3" OR MY_OTHER_FIELD="Value4" OR MY_OTHER_FIELD="Value5" OR MY_OTHER_FIELD="Value6"

If you just want the values use ... | return 10 $MY_OTHER_FIELD

Additional Reading:

Return

Hope this helps or gets you started. If it does don't forget to vote up and/or accept the answer.

Cheers

View solution in original post

Reply
Solved! Jump to solution
Solution

bmacias84
Champion
‎04-03-2013 09:56 AM

Hello msarro,

I think I see what you are trying to do which is to pass the values up from a subsearch to main search. For this you will need the to use the return command. By default return only returns one value, but you can increase that. There are performance implications to increases the return value.

Here is my example not knowing your data. 



index=myothersearchindex host="myserver*" [search index=mysearchindex host=myserver* My_Field="901089187"|return 10 MY_OTHER_FIELD]

What your search is accually looks like.



index=myothersearchindex host="myserver*" MY_OTHER_FIELD="Value1" OR MY_OTHER_FIELD="Value2" OR MY_OTHER_FIELD="Value3" OR MY_OTHER_FIELD="Value4" OR MY_OTHER_FIELD="Value5" OR MY_OTHER_FIELD="Value6"

If you just want the values use ... | return 10 $MY_OTHER_FIELD

Additional Reading:

Return

Hope this helps or gets you started. If it does don't forget to vote up and/or accept the answer.

Cheers

Reply
Solved! Jump to solution

msarro
Builder
‎04-03-2013 11:29 AM

This is exactly what I was looking for, thank you!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...