Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Use subsearch result as filter

kennethyeung
New Member
‎10-31-2017 05:17 AM

I have 2 indexes. 1 index has the price with product code
Another index has product code and product name

the subsearch is below:

index=product code=1
| lookup code.csv product_code as code OUTPUT product_name as product_name
| dedup product_name| fields product_name ]

it will return the product name , however if i use as subsearch, it will say no result

index=price [search index=product code=1
| lookup code.csv product_code as code OUTPUT product_name as product_name
| dedup product_name| fields product_name ]

Actually, I want to filter name = subsearch result as well

0 Karma
Reply

kennethyeung
New Member
‎10-31-2017 08:41 AM

i found out have to add "return product_name" at the subsearch , then work fine. Thanks

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-31-2017 05:44 AM

Hi kennethyeung,
Only to understand:
if in index2 you have code and product name: why do you use lookup?

Anyway, probably the problem is in the case.
Try to convert in upper o lower case both the searches.

Or you could rebuild your search:

index=price OR  index=product
| rename code AS product_code
| stats values(price) AS price values(product_name) AS product_name BY product_code

Bye.
Giuseppe

0 Karma
Reply

kennethyeung
New Member
‎10-31-2017 06:06 AM

thanks, becasue the product code is not same on different index, 1 index is 1234 another index product code is short form for the product, (E,g ABC)
that's why i use lookup to map it.

but do you know why my subsearch not work?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-31-2017 06:19 AM

Hi kennethyeung,
probably the problem is in the case.
Try to convert code and product_code in upper o lower case in both the searches.
Bye.
Giuseppe

0 Karma
Reply

peterchenadded
Path Finder
‎10-31-2017 05:34 AM

Your subsearch should just get the results from the lookup e.g.

|inputlookup code.csv where product_code=1 | table product_name

Alternatively, you can replace index=product with below to make sure you always have data

index=product earliest=0 latest=now

0 Karma
Reply

kennethyeung
New Member
‎10-31-2017 06:11 AM

i tried put "|inputlookup code.csv where product_code=1 | table product_name" as subsearch but not working as well

index=product [ inputlookup code.csv where product_code=1 | table product_name] no result found

0 Karma
Reply

peterchenadded
Path Finder
‎10-31-2017 01:46 PM

It needs to be | before the inputlookup.

Did you also try the earliest and latest setting I suggested in previous comment?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...