Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Use subsearch result as filter

kennethyeung
New Member
‎10-31-2017 05:17 AM

I have 2 indexes. 1 index has the price with product code
Another index has product code and product name

the subsearch is below:

index=product code=1
| lookup code.csv product_code as code OUTPUT product_name as product_name
| dedup product_name| fields product_name ]

it will return the product name , however if i use as subsearch, it will say no result

index=price [search index=product code=1
| lookup code.csv product_code as code OUTPUT product_name as product_name
| dedup product_name| fields product_name ]

Actually, I want to filter name = subsearch result as well

0 Karma
Reply

kennethyeung
New Member
‎10-31-2017 08:41 AM

i found out have to add "return product_name" at the subsearch , then work fine. Thanks

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-31-2017 05:44 AM

Hi kennethyeung,
Only to understand:
if in index2 you have code and product name: why do you use lookup?

Anyway, probably the problem is in the case.
Try to convert in upper o lower case both the searches.

Or you could rebuild your search:

index=price OR  index=product
| rename code AS product_code
| stats values(price) AS price values(product_name) AS product_name BY product_code

Bye.
Giuseppe

0 Karma
Reply

kennethyeung
New Member
‎10-31-2017 06:06 AM

thanks, becasue the product code is not same on different index, 1 index is 1234 another index product code is short form for the product, (E,g ABC)
that's why i use lookup to map it.

but do you know why my subsearch not work?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-31-2017 06:19 AM

Hi kennethyeung,
probably the problem is in the case.
Try to convert code and product_code in upper o lower case in both the searches.
Bye.
Giuseppe

0 Karma
Reply

peterchenadded
Path Finder
‎10-31-2017 05:34 AM

Your subsearch should just get the results from the lookup e.g.

|inputlookup code.csv where product_code=1 | table product_name

Alternatively, you can replace index=product with below to make sure you always have data

index=product earliest=0 latest=now

0 Karma
Reply

kennethyeung
New Member
‎10-31-2017 06:11 AM

i tried put "|inputlookup code.csv where product_code=1 | table product_name" as subsearch but not working as well

index=product [ inputlookup code.csv where product_code=1 | table product_name] no result found

0 Karma
Reply

peterchenadded
Path Finder
‎10-31-2017 01:46 PM

It needs to be | before the inputlookup.

Did you also try the earliest and latest setting I suggested in previous comment?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...