Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use subsearch result as fulltext search in outer search

woezelmann
Engager
‎07-10-2015 12:22 AM

Is it possible to use the result value of a subsearch as a fulltext (or wildcard) search in the outer search. I have a subsearch like this:

servertype=abc "some search terms" | fields correlation_id

and now I want to use the resulting correlation ids to find other entries, but these entries do not have a dedicated correlation_id field, it is just somewhere inside the text, so this is not working

servertype=xyz "some other seach terms" [search servertype=abc "some search key" | fields correlation_id]

because splunk is searching for a correlation_id field, which does not exist.

This is a very simplified example, but I hope you get my problem.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-10-2015 01:06 PM

OK, this is funky but it works:

 ... | eval raw=_raw | search [search servertype=abc "some search terms" | eval raw= "*" . correlation_id . "*" | fields raw]

View solution in original post

Reply
Solved! Jump to solution

marcoscala
Builder
‎03-17-2016 04:52 AM

Use this:

servertype=xyz "some other seach terms" [search servertype=abc "some search key" | fields correlation_id | rename correlation_id as search]

as stated here:
http://docs.splunk.com/Documentation/Splunk/latest/Search/Changetheformatofsubsearchresults

Reply
Solved! Jump to solution

606866581
Path Finder
‎07-27-2018 06:11 AM

I had to use ..... | rename correlation_id as query]

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-10-2015 01:06 PM

OK, this is funky but it works:

 ... | eval raw=_raw | search [search servertype=abc "some search terms" | eval raw= "*" . correlation_id . "*" | fields raw]
Reply
Solved! Jump to solution

woezelmann
Engager
‎07-13-2015 08:38 AM

Great, now it works. Thank you very much!

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-10-2015 06:50 AM

This should work (but performance will be slow)

[servertype=abc "some search terms" | eval _raw = "*" . correlation_id . "*" | fields _raw]

But for some reason it does not and I don't know why!

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-10-2015 08:47 AM

Further testing is also strange:

|noop | stats count | eval _raw="*972*" | fields _raw | format
|noop | stats count | eval raw="*972*" | fields raw | format | replace "*raw*" with "*_raw*"

These should both create a field called search with value ( ( _raw="*972*" ) ) but they don't.

0 Karma
Reply
Get Updates on the Splunk Community!

Video | Welcome Back to Smartness, Pedro

Remember Splunk Community member, Pedro Borges? If you tuned into Episode 2 of our Smartness interview series, ...

Detector Best Practices: Static Thresholds

Introduction In observability monitoring, static thresholds are used to monitor fixed, known values within ...

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...