Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use the result from the subsearch to a main search

thenormalone
Path Finder
‎06-29-2021 12:28 PM

In one of the search strings, I have an event from which i extract the correlation ids and in turn want to search through there correlation ids to get an event which has a text in from of the correlation id (eg: abc: <correlation_Id>.

 

when I try 

index=ind1 [search sttring 1 | table correlationId], the log which has the string of "abc: <correlation_Id>" is not coming back. But if i search for one of the correlationIds from the table I get that event.

 

I'm not sure what I'm doing wrong here. That event I'm trying to get has a string "abc" in front and I feel like that's causing the results to not come back.

Labels (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-29-2021 01:45 PM

You should add rename correlation_id as search into sub search e.g. https://community.splunk.com/t5/Splunk-Search/Can-a-subsearch-return-only-the-value-without-the-fiel...

Also it’s more efficient to replace table with fields as then this search will run on indexers instead of search head.

r. Ismo

View solution in original post

Reply
Solved! Jump to solution

swong_splunk
Splunk Employee
Splunk Employee
‎06-29-2021 12:50 PM

Try adding the | format command in the subsearch

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/FORMAT

This command takes the results of a subsearch, formats the results into a single result and places that result into a new field called search.

index=ind1
[search sttring 1
| table correlationId
| format]

0 Karma
Reply
Solved! Jump to solution

thenormalone
Path Finder
‎06-29-2021 01:16 PM

well if I'm not mistaken that gives me 

index=ind1 "correlation-id=<correlation_Id>" 

 

so it still isn't giving me that event which has the format "abc: <correlation_Id>"

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-29-2021 01:45 PM

You should add rename correlation_id as search into sub search e.g. https://community.splunk.com/t5/Splunk-Search/Can-a-subsearch-return-only-the-value-without-the-fiel...

Also it’s more efficient to replace table with fields as then this search will run on indexers instead of search head.

r. Ismo

Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...