- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Subsearch in search command not returning resu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey everyone, I am pretty sure this is a simple question, but I'd appreciate a sanity check.
When I run the following command I get a list of values (2910 results, suppose one value is the string "ReturnedValueX"):
index=mysearchindex host=myserver* My_Field="901089187"|table MY_OTHER_FIELD
When i try to run it as a subsearch to another search command however, I get 0 results.
index=myothersearchindex host="myserver*" [search index=mysearchindex host=myserver* My_Field="901089187"|table MY_OTHER_FIELD]
BUT, if I take one of the values from MY_OTHER_FIELD and use it as a string in the search command like this I get results:
index=myothersearchindex host="myserver*" "ReturnedValueX"
The only possible issues I can think of are:
1) The number of results from the subsearch is too high
2) There are no defined fields in index=myothersearchindex, just raw log data. The goal is to take the list of string values from the subsearch and use it to limit the results of the outer search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello msarro,
I think I see what you are trying to do which is to pass the values up from a subsearch to main search. For this you will need the to use the return command. By default return only returns one value, but you can increase that. There are performance implications to increases the return value.
Here is my example not knowing your data.
index=myothersearchindex host="myserver*" [search index=mysearchindex host=myserver* My_Field="901089187"|return 10 MY_OTHER_FIELD]
What your search is accually looks like.
index=myothersearchindex host="myserver*" MY_OTHER_FIELD="Value1" OR MY_OTHER_FIELD="Value2" OR MY_OTHER_FIELD="Value3" OR MY_OTHER_FIELD="Value4" OR MY_OTHER_FIELD="Value5" OR MY_OTHER_FIELD="Value6"
If you just want the values use ... | return 10 $MY_OTHER_FIELD
Additional Reading:
Hope this helps or gets you started. If it does don't forget to vote up and/or accept the answer.
Cheers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello msarro,
I think I see what you are trying to do which is to pass the values up from a subsearch to main search. For this you will need the to use the return command. By default return only returns one value, but you can increase that. There are performance implications to increases the return value.
Here is my example not knowing your data.
index=myothersearchindex host="myserver*" [search index=mysearchindex host=myserver* My_Field="901089187"|return 10 MY_OTHER_FIELD]
What your search is accually looks like.
index=myothersearchindex host="myserver*" MY_OTHER_FIELD="Value1" OR MY_OTHER_FIELD="Value2" OR MY_OTHER_FIELD="Value3" OR MY_OTHER_FIELD="Value4" OR MY_OTHER_FIELD="Value5" OR MY_OTHER_FIELD="Value6"
If you just want the values use ... | return 10 $MY_OTHER_FIELD
Additional Reading:
Hope this helps or gets you started. If it does don't forget to vote up and/or accept the answer.
Cheers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is exactly what I was looking for, thank you!
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
