Splunk Search

Use subsearch result as fulltext search in outer search

Engager

Is it possible to use the result value of a subsearch as a fulltext (or wildcard) search in the outer search. I have a subsearch like this:

servertype=abc "some search terms" | fields correlation_id

and now I want to use the resulting correlation ids to find other entries, but these entries do not have a dedicated correlation_id field, it is just somewhere inside the text, so this is not working

servertype=xyz "some other seach terms" [search servertype=abc "some search key" | fields correlation_id]

because splunk is searching for a correlation_id field, which does not exist.

This is a very simplified example, but I hope you get my problem.

Tags (2)
0 Karma
1 Solution

Esteemed Legend

OK, this is funky but it works:

 ... | eval raw=_raw | search [search servertype=abc "some search terms" | eval raw= "*" . correlation_id . "*" | fields raw]

View solution in original post

Builder

Use this:

servertype=xyz "some other seach terms" [search servertype=abc "some search key" | fields correlation_id | rename correlation_id as search]

as stated here:
http://docs.splunk.com/Documentation/Splunk/latest/Search/Changetheformatofsubsearchresults

Path Finder

I had to use ..... | rename correlation_id as query]

0 Karma

Esteemed Legend

OK, this is funky but it works:

 ... | eval raw=_raw | search [search servertype=abc "some search terms" | eval raw= "*" . correlation_id . "*" | fields raw]

View solution in original post

Engager

Great, now it works. Thank you very much!

0 Karma

Esteemed Legend

This should work (but performance will be slow)

[servertype=abc "some search terms" | eval _raw = "*" . correlation_id . "*" | fields _raw]

But for some reason it does not and I don't know why!

0 Karma

Esteemed Legend

Further testing is also strange:

|noop | stats count | eval _raw="*972*" | fields _raw | format
|noop | stats count | eval raw="*972*" | fields raw | format | replace "*raw*" with "*_raw*"

These should both create a field called search with value ( ( _raw="*972*" ) ) but they don't.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!