Splunk Search

Why two searches work separately, but subsearch leads to no results?

kkas
Path Finder

Beginner here,

I've been trying to practice subsearching, but I've come across a problem I couldn't figure out how to get around. So I'm trying to search source A and find the top IP corresponding with the net-id. This search works when I do it separately and outputs an IP address. From there I want to search through another source type for info corresponding with this IP address. My full search looks like this

search source=B [search source=A net_id=Alpha| dedup ip|top limit=1 ip| fields ip]

If I manually enter the ip like so: search source=B "___.___._.___" <- (same numbers that output if I search source=A net_id=Alpha|dedup ip|top limit=1 ip|fields ip ) it outputs expected results, but if I try and do it in one go like its written above using a subsearch, I get no results. Any ideas?

Tags (1)
1 Solution

dwaddle
SplunkTrust
SplunkTrust

With subsearches, by default fields matter. Your subsearch is actually outputting something more like

( ip = 1.2.3.4 )

So the assumption is that source "B" has a field named ip, with a value of 1.2.3.4. You can rename the output field from the subsearch to match the source "B" fields, or you can tell the subsearch to output the field "naked" by renaming the output field ip to query. See http://docs.splunk.com/Documentation/Splunk/6.2.3/Search/Changetheformatofsubsearchresults

View solution in original post

dwaddle
SplunkTrust
SplunkTrust

With subsearches, by default fields matter. Your subsearch is actually outputting something more like

( ip = 1.2.3.4 )

So the assumption is that source "B" has a field named ip, with a value of 1.2.3.4. You can rename the output field from the subsearch to match the source "B" fields, or you can tell the subsearch to output the field "naked" by renaming the output field ip to query. See http://docs.splunk.com/Documentation/Splunk/6.2.3/Search/Changetheformatofsubsearchresults

kkas
Path Finder

Thanks so much for the quick reply!

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...