Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- how to do a subsearch
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the following query
and the following is a result, for a particular run of a process it creates muiltiple such results as below depending on how many reports are present in the batch. So from the below "bz9mf-37v-qgt" is the processID which is common in the two search resutls. I want to extract the FileName from one result and ProcessingTime from the other result
bz9mf-37v-qgt Filename Processingtime
this should be my output can someone please help?
1 » 12/7/12
9:35:31.572 AM 2012-12-07 09:35:31,572 INFO [cdpbAbnamro:RunFiber (120279:3011)] Deliverator.2106 (bz9mf-37v-qgt) (x-rmg-job:bz9mf-37p-uug#tag:2012-12-07:1354872928990) [Normal] bz9mf-37p-uug [Event/Other/ReportDetail] [DeliveryTime=2012-12-07 09:35:31.0, FileName=hfpositions.20121207.CreditExposure.5D, ReportingResultId=workflow@abnamro.com@hfpositions.20121207.CreditExposure.5D, Status=DELIVERED]
2 » 12/7/12
9:35:31.568 AM 2012-12-07 09:35:31,568 INFO [reporting-process-manager:CreateReportingResult (140962:1398)] AuditFilter.1943 (bz9mf-37v-qgt) (x-rmg-job:bz9mf-37p-uug#tag:,2012-12-07:cdpbAbnamro,1354872929872) [Audit] End [Event/End/OperationEnd] [Action=urn:RiskMetricsDirect:1.0:reporting-process-manager:CreateReportingResult, CPU=20, IO=655, ProcessingTime=1501, ServiceTime=1492, Size=1360]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you could just use stats.
... | stats first(Filename) as Filename, first(Processingtime) as Processingtime by processID
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you could just use stats.
... | stats first(Filename) as Filename, first(Processingtime) as Processingtime by processID
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great Worked fine!!! thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes I have extracted these fields but as I said I want to join the two results based on the processid, as I asid its not just these two rows , for a client there are many rows (two each for a particular processID) depending on number or reports so
basically output in a single row would be
Process ID1 Processingtime1
Process ID1 filename1
Process ID2 Processingtime2
Process ID2 filename2
..
lets say there are 12 rows in actual result, I want to reduce to 6
Process ID1 Processingtime1 filename1
Process ID2 Processingtime2 filename2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you extracted the relevant fields (processId, Filename, Processingtime)? I'm not sure why you'd particularly want to use a subsearch for solving this.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
