Splunk Search

Why is my subsearch not working?

utk123
Path Finder

I am trying the below subsearch, but it's not giving any results. "No results found. Try expanding the time range. "

I want to get the IP address from search2, and then use it in search1.

Search1 (outer search): giving results

index=index1 sourcetype=sourcetype1 IP_address

Search2 (inner search): giving results

index=index2 sourcetype=sourcetype2 category=category2 | top limit=1 src| table src

subsearch: not giving results

index=index1 sourcetype=sourcetype1 [search 
index=index2 sourcetype=sourcetype2 category=category2 | top limit=1 src| table src]

Am I missing anything here ?

0 Karma
1 Solution

niketn
Legend

@utk123 try the following search. rename src as IP_address is required as index1 has field IP_address:

index=index1 sourcetype=sourcetype1 
    [ search 
        index=index2 sourcetype=sourcetype2 category=category2 
    | top limit=1 src showcount=f showperc=f 
    | rename src as IP_address]
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@utk123 try the following search. rename src as IP_address is required as index1 has field IP_address:

index=index1 sourcetype=sourcetype1 
    [ search 
        index=index2 sourcetype=sourcetype2 category=category2 
    | top limit=1 src showcount=f showperc=f 
    | rename src as IP_address]
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

utk123
Path Finder

Thanks, that was the trick. I had to use same field name for IP address in both queries.
My final query which is working now:

index=index1 sourcetype=sourcetype1 [search
index=index2 sourcetype=sourcetype2 category=category2 | table src | rename src as IP_address]

0 Karma

askkawalkar
Path Finder

@utk123 , To get result of above subsearch, src field result need to be present in Search 1. If this criteria is fulfilled, then query will work. n events will be return by search.

Please refer below queries -
Below query will return the result-

index=_internal group=pipeline
    [search index=_internal component=Metrics | top limit=1 name | table name]

Below Query might not return a result

index=_internal group=executor
    [search index=_internal component=Metrics | top limit=1 name | table name]

PS: Above queries are heavy query.

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...