Using subsearch result as a "contains" filter

denissotoacc · ‎10-05-2021

I have a search that I need to filter by a field, using another search. Normally, I would do this:

main_search where [subsearch | table field_filtered | format ]

It works like this:

main_search
for result in subsearch:
    field_filtered=result

In my case, I need to use each result of subsearch as filter BUT as "contains" and not "equal to". I tried something like this but is not working:

main_search | where in (field_filtered,[subsearch])

How can I success in this?

ITWhisperer · ‎10-05-2021

Here is a runanywhere example which demonstrates a technique you might be able to adapt.

index=_internal sourcetype=splunkd_ui_access
| where match(uri_path,
    [search index=_internal sourcetype=splunkd_ui_access
| stats count by uri_path
| head 1
| eval path=split(uri_path,"/")
| eval query=trim(mvjoin(mvindex(path,2,3),"|"),"|")
| table query
| format])
| stats count by uri_path

Essentially, what it does is use the match function on the field you want to filter on, with a subsearch to deliver a pipe-delimited string which act as OR's in the match function.

Using subsearch result as a "contains" filter

field extraction

subsearch

Fastest way to demo Observability

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

Are you a member of the Splunk Community?

Using subsearch result as a "contains" filter

field extraction

subsearch

Fastest way to demo Observability

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps