Splunk Search

Use subsearch result as fulltext search in outer search


Is it possible to use the result value of a subsearch as a fulltext (or wildcard) search in the outer search. I have a subsearch like this:

servertype=abc "some search terms" | fields correlation_id

and now I want to use the resulting correlation ids to find other entries, but these entries do not have a dedicated correlation_id field, it is just somewhere inside the text, so this is not working

servertype=xyz "some other seach terms" [search servertype=abc "some search key" | fields correlation_id]

because splunk is searching for a correlation_id field, which does not exist.

This is a very simplified example, but I hope you get my problem.

Tags (2)
0 Karma
1 Solution

Esteemed Legend

OK, this is funky but it works:

 ... | eval raw=_raw | search [search servertype=abc "some search terms" | eval raw= "*" . correlation_id . "*" | fields raw]

View solution in original post


Use this:

servertype=xyz "some other seach terms" [search servertype=abc "some search key" | fields correlation_id | rename correlation_id as search]

as stated here:

Path Finder

I had to use ..... | rename correlation_id as query]

0 Karma

Esteemed Legend

OK, this is funky but it works:

 ... | eval raw=_raw | search [search servertype=abc "some search terms" | eval raw= "*" . correlation_id . "*" | fields raw]


Great, now it works. Thank you very much!

0 Karma

Esteemed Legend

This should work (but performance will be slow)

[servertype=abc "some search terms" | eval _raw = "*" . correlation_id . "*" | fields _raw]

But for some reason it does not and I don't know why!

0 Karma

Esteemed Legend

Further testing is also strange:

|noop | stats count | eval _raw="*972*" | fields _raw | format
|noop | stats count | eval raw="*972*" | fields raw | format | replace "*raw*" with "*_raw*"

These should both create a field called search with value ( ( _raw="*972*" ) ) but they don't.

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...