Splunk Search

Use subsearch result as filter

New Member

I have 2 indexes. 1 index has the price with product code
Another index has product code and product name

the subsearch is below:

index=product code=1
| lookup code.csv product_code as code OUTPUT product_name as product_name
| dedup product_name| fields product_name ]

it will return the product name , however if i use as subsearch, it will say no result

index=price [search index=product code=1
| lookup code.csv product_code as code OUTPUT product_name as product_name
| dedup product_name| fields product_name ]

Actually, I want to filter name = subsearch result as well

0 Karma

New Member

i found out have to add "return product_name" at the subsearch , then work fine. Thanks

0 Karma

SplunkTrust
SplunkTrust

Hi kennethyeung,
Only to understand:
if in index2 you have code and product name: why do you use lookup?

Anyway, probably the problem is in the case.
Try to convert in upper o lower case both the searches.

Or you could rebuild your search:

index=price OR  index=product
| rename code AS product_code
| stats values(price) AS price values(product_name) AS product_name BY product_code

Bye.
Giuseppe

0 Karma

New Member

thanks, becasue the product code is not same on different index, 1 index is 1234 another index product code is short form for the product, (E,g ABC)
that's why i use lookup to map it.

but do you know why my subsearch not work?

0 Karma

SplunkTrust
SplunkTrust

Hi kennethyeung,
probably the problem is in the case.
Try to convert code and product_code in upper o lower case in both the searches.
Bye.
Giuseppe

0 Karma

Path Finder

Your subsearch should just get the results from the lookup e.g.

|inputlookup code.csv where product_code=1 | table product_name

Alternatively, you can replace index=product with below to make sure you always have data

index=product earliest=0 latest=now

0 Karma

New Member

i tried put "|inputlookup code.csv where product_code=1 | table product_name" as subsearch but not working as well

index=product [ inputlookup code.csv where product_code=1 | table product_name] no result found

0 Karma

Path Finder

It needs to be | before the inputlookup.

Did you also try the earliest and latest setting I suggested in previous comment?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!