Splunk Search

Use the result from the subsearch to a main search

thenormalone
Path Finder

In one of the search strings, I have an event from which i extract the correlation ids and in turn want to search through there correlation ids to get an event which has a text in from of the correlation id (eg: abc: <correlation_Id>.

 

when I try 

index=ind1 [search sttring 1 | table correlationId], the log which has the string of "abc: <correlation_Id>" is not coming back. But if i search for one of the correlationIds from the table I get that event.

 

I'm not sure what I'm doing wrong here. That event I'm trying to get has a string "abc" in front and I feel like that's causing the results to not come back.

Labels (4)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

You should add rename correlation_id as search into sub search e.g. https://community.splunk.com/t5/Splunk-Search/Can-a-subsearch-return-only-the-value-without-the-fiel...

Also it’s more efficient to replace table with fields as then this search will run on indexers instead of search head.

r. Ismo

View solution in original post

swong_splunk
Splunk Employee
Splunk Employee

Try adding the | format command in the subsearch

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/FORMAT

This command takes the results of a subsearch, formats the results into a single result and places that result into a new field called search.

index=ind1
[search sttring 1
| table correlationId
| format]

0 Karma

thenormalone
Path Finder

well if I'm not mistaken that gives me 

index=ind1 "correlation-id=<correlation_Id>" 

 

so it still isn't giving me that event which has the format "abc: <correlation_Id>"

0 Karma

isoutamo
SplunkTrust
SplunkTrust

You should add rename correlation_id as search into sub search e.g. https://community.splunk.com/t5/Splunk-Search/Can-a-subsearch-return-only-the-value-without-the-fiel...

Also it’s more efficient to replace table with fields as then this search will run on indexers instead of search head.

r. Ismo

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...