Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why can't I use multisearch here?

khevans
Path Finder
‎07-02-2019 09:34 AM

I'm trying to use Multisearch to combine the results of two commands. My search is:

| multisearch 
    [ search index=... sourcetype=access_combined method != OPTIONS user=khevans host=... uri_path != "/" 
        earliest=1561994601 latest=1561994640 
    | join uri type=left 
        [ search index=... sourcetype=access_combined status = 200 method != OPTIONS user=khevans 
        | fields referer referer_domain 
        | dedup referer 
        | eval uri = ifnull(substr(referer, len(referer_domain) + 1), uri) 
        | eval is_nav_out = 1 ] 
    | where isnull(is_nav_out) 
    | eval ref_uri = ifnull(substr(referer, len(referer_domain) + 1), start_uri) 
    | where ref_uri="..." 
    | eval type = "Web"] 
    [ search eventtype=... host=... api_uri != ...
        earliest=1561994601 latest=1561994640 
    | where api_user == "khevans" OR isnull(api_user) 
    | eval uri_path = api_uri . IFNULL("?" . api_uri_query, ""),
        user = IFNULL(api_user, "?"),
        type = "API" ]

I am getting this error:

Error in 'multisearch' command: Multisearch subsearches may only contain purely streaming operations (subsearch 1 contains a non-streaming command.)

According to the list of streaming commands, all of these are streaming. Additionally, when I run each search query independently, and press inspect job, both eventIsStreaming = true and resultIsStreaming = true. Why can't I run this multisearch?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

khevans
Path Finder
‎07-02-2019 11:07 AM

I refactored it to not use a left or an outer join, by just using a NOT [...] subsearch in the search clause.

View solution in original post

Reply
Solved! Jump to solution
Solution

khevans
Path Finder
‎07-02-2019 11:07 AM

I refactored it to not use a left or an outer join, by just using a NOT [...] subsearch in the search clause.

Reply
Solved! Jump to solution

khevans
Path Finder
‎07-02-2019 11:01 AM

To add: it seems that the left join is causing the problem, so I guess I can refactor it to not use the join. But I'm still confused as to why the Job Inspector and documentation states that it is streaming.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top