Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why two searches work separately, but subsearch leads to no results?

kkas
Path Finder
‎06-09-2015 06:54 AM

Beginner here,

I've been trying to practice subsearching, but I've come across a problem I couldn't figure out how to get around. So I'm trying to search source A and find the top IP corresponding with the net-id. This search works when I do it separately and outputs an IP address. From there I want to search through another source type for info corresponding with this IP address. My full search looks like this 

search source=B [search source=A net_id=Alpha| dedup ip|top limit=1 ip| fields ip]

If I manually enter the ip like so: search source=B "___.___._.___" <- (same numbers that output if I search source=A net_id=Alpha|dedup ip|top limit=1 ip|fields ip ) it outputs expected results, but if I try and do it in one go like its written above using a subsearch, I get no results. Any ideas?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎06-09-2015 06:58 AM

With subsearches, by default fields matter. Your subsearch is actually outputting something more like

( ip = 1.2.3.4 )

So the assumption is that source "B" has a field named ip, with a value of 1.2.3.4. You can rename the output field from the subsearch to match the source "B" fields, or you can tell the subsearch to output the field "naked" by renaming the output field ip to query. See http://docs.splunk.com/Documentation/Splunk/6.2.3/Search/Changetheformatofsubsearchresults

View solution in original post

Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎06-09-2015 06:58 AM

With subsearches, by default fields matter. Your subsearch is actually outputting something more like

( ip = 1.2.3.4 )

So the assumption is that source "B" has a field named ip, with a value of 1.2.3.4. You can rename the output field from the subsearch to match the source "B" fields, or you can tell the subsearch to output the field "naked" by renaming the output field ip to query. See http://docs.splunk.com/Documentation/Splunk/6.2.3/Search/Changetheformatofsubsearchresults

Reply
Solved! Jump to solution

kkas
Path Finder
‎06-09-2015 07:03 AM

Thanks so much for the quick reply!

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...