Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Subsearches (and custom fields?)

rickschultz
New Member
‎09-30-2010 09:41 PM

I could be doing something wrong, but I can't seem to get subsearches to behave like I expect. I can get something like the documentation (HowSubsearchesWork) example to work, but anything more complicated seems to fail.

This query:

index="main" *CONNECTION | top host limit=1 | fields host

shows the host with the most CONNECTION log entries.

As expected, this query:

* [search index="main" *CONNECTION | top host limit=1 | fields host]

shows all log messages from the host that has the most connection logs. When I try using a different fields, however, the behavior changes.

For example, this query shows the most frequent UUIDs (a custom field):

index="main" *CONNECTION | top UUID limit=1 | fields UUID

The following all return "No matching events found.":

* [search index="main" *CONNECTION | top UUID limit=1 | fields UUID]
* [search index="main" *CONNECTION | top UUID limit=1 | fields UUID | rename UUID as query]
* [search index="main" *CONNECTION | top UUID limit=1 | fields UUID | rename UUID as search]

Pasting the output from either of

index="main" *CONNECTION | top UUID limit=1 | fields UUID | format
index="main" *CONNECTION | top UUID limit=1 | fields UUID | rename UUID as search | format

into a new splunk search produces the expected results.

Could this be a syntax or configuration issue, or do I not understand how subsearches work? We're on 4.1.3; could this be related to SPL-32669 ?

thanks in advance,

rick

Tags (1)
0 Karma
Reply

Lowell
Super Champion
‎10-01-2010 02:54 PM

What happens when you put a "format" in the subsearch? Like does this work:

index=main [search index="main" *CONNECTION | top UUID limit=1 | fields UUID | format ]

I've found times where my subsearch will not work without tacking on a | format on the end, I'm not sure why, and it doesn't seem like you should have to. Perhaps someone more familiar with subsearches help explain when you need format and when you do not.

Another thing to look into is using the "Job Inspector" and looking at the "remoteSearch" value. You should see "litsearch" followed by the expanded form of your search. You may find something interesting going on here that could explain why your subsearch isn't working properly.

0 Karma
Reply

rickschultz
New Member
‎10-08-2010 09:12 PM

Search Job Inspector shows the following, though I'm not sure how to interpret it:

remoteSearch | fields keepcolorder=t * "*" "host" "index" "source" "sourcetype" "splunk_server"

0 Karma
Reply

rickschultz
New Member
‎10-04-2010 06:01 PM

index=main [search index="main" *CONNECTION | top UUID limit=1 | fields UUID | format ]

also yields "No matching events found."

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...