Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Use subsearch result as filter

kennethyeung
New Member
‎10-31-2017 05:17 AM

I have 2 indexes. 1 index has the price with product code
Another index has product code and product name

the subsearch is below:

index=product code=1
| lookup code.csv product_code as code OUTPUT product_name as product_name
| dedup product_name| fields product_name ]

it will return the product name , however if i use as subsearch, it will say no result

index=price [search index=product code=1
| lookup code.csv product_code as code OUTPUT product_name as product_name
| dedup product_name| fields product_name ]

Actually, I want to filter name = subsearch result as well

0 Karma
Reply

kennethyeung
New Member
‎10-31-2017 08:41 AM

i found out have to add "return product_name" at the subsearch , then work fine. Thanks

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-31-2017 05:44 AM

Hi kennethyeung,
Only to understand:
if in index2 you have code and product name: why do you use lookup?

Anyway, probably the problem is in the case.
Try to convert in upper o lower case both the searches.

Or you could rebuild your search:

index=price OR  index=product
| rename code AS product_code
| stats values(price) AS price values(product_name) AS product_name BY product_code

Bye.
Giuseppe

0 Karma
Reply

kennethyeung
New Member
‎10-31-2017 06:06 AM

thanks, becasue the product code is not same on different index, 1 index is 1234 another index product code is short form for the product, (E,g ABC)
that's why i use lookup to map it.

but do you know why my subsearch not work?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-31-2017 06:19 AM

Hi kennethyeung,
probably the problem is in the case.
Try to convert code and product_code in upper o lower case in both the searches.
Bye.
Giuseppe

0 Karma
Reply

peterchenadded
Path Finder
‎10-31-2017 05:34 AM

Your subsearch should just get the results from the lookup e.g.

|inputlookup code.csv where product_code=1 | table product_name

Alternatively, you can replace index=product with below to make sure you always have data

index=product earliest=0 latest=now

0 Karma
Reply

kennethyeung
New Member
‎10-31-2017 06:11 AM

i tried put "|inputlookup code.csv where product_code=1 | table product_name" as subsearch but not working as well

index=product [ inputlookup code.csv where product_code=1 | table product_name] no result found

0 Karma
Reply

peterchenadded
Path Finder
‎10-31-2017 01:46 PM

It needs to be | before the inputlookup.

Did you also try the earliest and latest setting I suggested in previous comment?

0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...

Buttercup Games: Further Dashboarding Techniques (Part 6)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...