Is it possible to use the result value of a subsearch as a fulltext (or wildcard) search in the outer search. I have a subsearch like this:
servertype=abc "some search terms" | fields correlation_id
and now I want to use the resulting correlation ids to find other entries, but these entries do not have a dedicated correlation_id field, it is just somewhere inside the text, so this is not working
servertype=xyz "some other seach terms" [search servertype=abc "some search key" | fields correlation_id]
because splunk is searching for a correlation_id field, which does not exist.
This is a very simplified example, but I hope you get my problem.
OK, this is funky but it works:
... | eval raw=_raw | search [search servertype=abc "some search terms" | eval raw= "*" . correlation_id . "*" | fields raw]
Use this:
servertype=xyz "some other seach terms" [search servertype=abc "some search key" | fields correlation_id | rename correlation_id as search]
as stated here:
http://docs.splunk.com/Documentation/Splunk/latest/Search/Changetheformatofsubsearchresults
I had to use ..... | rename correlation_id as query]
OK, this is funky but it works:
... | eval raw=_raw | search [search servertype=abc "some search terms" | eval raw= "*" . correlation_id . "*" | fields raw]
Great, now it works. Thank you very much!
This should work (but performance will be slow)
[servertype=abc "some search terms" | eval _raw = "*" . correlation_id . "*" | fields _raw]
But for some reason it does not and I don't know why!
Further testing is also strange:
|noop | stats count | eval _raw="*972*" | fields _raw | format
|noop | stats count | eval raw="*972*" | fields raw | format | replace "*raw*" with "*_raw*"
These should both create a field called search
with value ( ( _raw="*972*" ) )
but they don't.