Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Using subsearch result as a "contains" filter

denissotoacc
Path Finder
‎10-05-2021 08:44 AM

I have a search that I need to filter by a field, using another search. Normally, I would do this:

main_search where [subsearch | table field_filtered | format ]


It works like this:

main_search
for result in subsearch:
    field_filtered=result


In my case, I need to use each result of subsearch as filter BUT as "contains" and not "equal to". I tried something like this but is not working:

main_search | where in (field_filtered,[subsearch])

How can I success in this?

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-05-2021 10:08 AM

Here is a runanywhere example which demonstrates a technique you might be able to adapt.

index=_internal sourcetype=splunkd_ui_access
| where match(uri_path,
    [search index=_internal sourcetype=splunkd_ui_access
| stats count by uri_path
| head 1
| eval path=split(uri_path,"/")
| eval query=trim(mvjoin(mvindex(path,2,3),"|"),"|")
| table query
| format])
| stats count by uri_path

Essentially, what it does is use the match function on the field you want to filter on, with a subsearch to deliver a pipe-delimited string which act as OR's in the match function.

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...