Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I getting error "Unknown search command 'sourcetype'" using a subsearch in a where command?

maximus_reborn
Path Finder
‎05-23-2016 02:04 AM

I want to do something like the below command but it is giving me an error.

sourcetype=SplunkKafka_messaging | spath input=msg_body | where passenger_count > [sourcetype=SplunkRabbitMQ_messaging | spath input=msg_body | stats avg(passenger_count)]

Error: 

Unknown search command 'sourcetype'.

Can anyone let me know how to achieve the objective? My aim is to extract the events where passenger_count is greater then the average of that column.

This will happen in real time.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-23-2016 08:48 AM

Try this

sourcetype=SplunkKafka_messaging | spath input=msg_body | where passenger_count > [search sourcetype=SplunkRabbitMQ_messaging | spath input=msg_body | stats avg(passenger_count) as avg | return $avg]

OR

sourcetype=SplunkKafka_messaging | spath input=msg_body | where passenger_count > [search sourcetype=SplunkRabbitMQ_messaging | spath input=msg_body | stats avg(passenger_count) as query]

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-23-2016 08:48 AM

Try this

sourcetype=SplunkKafka_messaging | spath input=msg_body | where passenger_count > [search sourcetype=SplunkRabbitMQ_messaging | spath input=msg_body | stats avg(passenger_count) as avg | return $avg]

OR

sourcetype=SplunkKafka_messaging | spath input=msg_body | where passenger_count > [search sourcetype=SplunkRabbitMQ_messaging | spath input=msg_body | stats avg(passenger_count) as query]
Reply
Solved! Jump to solution

maximus_reborn
Path Finder
‎05-23-2016 08:59 AM

Thanks! It did work.

0 Karma
Reply
Solved! Jump to solution

philippiq
New Member
‎05-26-2017 08:40 AM

try to insert 'search' before sourcetype

0 Karma
Reply
Solved! Jump to solution

NOUMSSI
Builder
‎05-23-2016 03:03 AM

Hi try this:

sourcetype=SplunkKafka_messaging | spath input=msg_body | where passenger_count > [search sourcetype=SplunkRabbitMQ_messaging | spath input=msg_body | stats avg(passenger_count)]
Reply
Solved! Jump to solution

NOUMSSI
Builder
‎05-23-2016 05:03 AM

Dont forget to accept my answer if you were satisfied

0 Karma
Reply
Solved! Jump to solution

maximus_reborn
Path Finder
‎05-23-2016 08:01 AM

I am getting 2 errors:
1. Error reading runtime settings: File :/usr/local/splunk/var/run/splunk/dispatch/subsearch_1464015531.154_1464015531.1/runtime.csv does not exist
2. ERROR dispatchRunner - RunDispatch::runDispatchThread threw error: Error in 'where' command: Typechecking failed. The '>' operator received different types

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...