Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use the result from the subsearch to a main search

thenormalone
Path Finder
‎06-29-2021 12:28 PM

In one of the search strings, I have an event from which i extract the correlation ids and in turn want to search through there correlation ids to get an event which has a text in from of the correlation id (eg: abc: <correlation_Id>.

 

when I try 

index=ind1 [search sttring 1 | table correlationId], the log which has the string of "abc: <correlation_Id>" is not coming back. But if i search for one of the correlationIds from the table I get that event.

 

I'm not sure what I'm doing wrong here. That event I'm trying to get has a string "abc" in front and I feel like that's causing the results to not come back.

Labels (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-29-2021 01:45 PM

You should add rename correlation_id as search into sub search e.g. https://community.splunk.com/t5/Splunk-Search/Can-a-subsearch-return-only-the-value-without-the-fiel...

Also it’s more efficient to replace table with fields as then this search will run on indexers instead of search head.

r. Ismo

View solution in original post

Reply
Solved! Jump to solution

swong_splunk
Splunk Employee
Splunk Employee
‎06-29-2021 12:50 PM

Try adding the | format command in the subsearch

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/FORMAT

This command takes the results of a subsearch, formats the results into a single result and places that result into a new field called search.

index=ind1
[search sttring 1
| table correlationId
| format]

0 Karma
Reply
Solved! Jump to solution

thenormalone
Path Finder
‎06-29-2021 01:16 PM

well if I'm not mistaken that gives me 

index=ind1 "correlation-id=<correlation_Id>" 

 

so it still isn't giving me that event which has the format "abc: <correlation_Id>"

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-29-2021 01:45 PM

You should add rename correlation_id as search into sub search e.g. https://community.splunk.com/t5/Splunk-Search/Can-a-subsearch-return-only-the-value-without-the-fiel...

Also it’s more efficient to replace table with fields as then this search will run on indexers instead of search head.

r. Ismo

Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...