Splunk Search

Use subsearch result as fulltext search in outer search

woezelmann
Engager

Is it possible to use the result value of a subsearch as a fulltext (or wildcard) search in the outer search. I have a subsearch like this:

servertype=abc "some search terms" | fields correlation_id

and now I want to use the resulting correlation ids to find other entries, but these entries do not have a dedicated correlation_id field, it is just somewhere inside the text, so this is not working

servertype=xyz "some other seach terms" [search servertype=abc "some search key" | fields correlation_id]

because splunk is searching for a correlation_id field, which does not exist.

This is a very simplified example, but I hope you get my problem.

Tags (2)
0 Karma
1 Solution

woodcock
Esteemed Legend

OK, this is funky but it works:

 ... | eval raw=_raw | search [search servertype=abc "some search terms" | eval raw= "*" . correlation_id . "*" | fields raw]

View solution in original post

marcoscala
Builder

Use this:

servertype=xyz "some other seach terms" [search servertype=abc "some search key" | fields correlation_id | rename correlation_id as search]

as stated here:
http://docs.splunk.com/Documentation/Splunk/latest/Search/Changetheformatofsubsearchresults

606866581
Path Finder

I had to use ..... | rename correlation_id as query]

0 Karma

woodcock
Esteemed Legend

OK, this is funky but it works:

 ... | eval raw=_raw | search [search servertype=abc "some search terms" | eval raw= "*" . correlation_id . "*" | fields raw]

woezelmann
Engager

Great, now it works. Thank you very much!

0 Karma

woodcock
Esteemed Legend

This should work (but performance will be slow)

[servertype=abc "some search terms" | eval _raw = "*" . correlation_id . "*" | fields _raw]

But for some reason it does not and I don't know why!

0 Karma

woodcock
Esteemed Legend

Further testing is also strange:

|noop | stats count | eval _raw="*972*" | fields _raw | format
|noop | stats count | eval raw="*972*" | fields raw | format | replace "*raw*" with "*_raw*"

These should both create a field called search with value ( ( _raw="*972*" ) ) but they don't.

0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...