Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- main search get index from subsearch
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Everyone,
I would want to ask a question, is there any way for main search get the index return from subsearch? Since the subsearch will be execute first. The results in the datamodel may return different indexes
some of my example:
index=[|datamodel Tutorial Client_errors index | return index]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The datamodel don't have the src and dest ip address, so I want to use the indexes return from datamodel and perform further search in the main search.
Do you mean you want to use additional data from that datamodel to enrich the main search? In that case, subsearch is the wrong tool. How you use datamodel will depend on what you want to do with this main search. (Here, let me lay out elements of an answerable question so you don't confuse volunteers in the future: Illustrate your dataset (or explain in detail), illustrate the desired output, explain the logic between illustrated data and desired output (without SPL). If you do illustrate sample SPL, illustrate actual output, too, then explain how it differs from desired output if it is not painfully obvious.)
Let me do a simple illustration. If your main search without datamodel is
index=myindex sourcetype=mytype abc=*
| stats values(abc) as abc by defsuppose it returns something like
| def | abc |
| def1 | aaa bbb ccc |
| def2 | bbb ddd fff |
| def3 | aaa |
and if your datamodel search returns src_ip, dst_ip, and def, like this:
| def | src_ip | dst_ip |
| def1 | 1.1.1.1 | 2.2.2.2 |
| def2 | 1.2.1.1 | 2.1.2.1 |
| def3 | 1.2.3.4 | 2.4.6.8 |
| def4 | 4.3.2.1 | 8.6.4.2 |
You want the additional fields associated with def to be shown. Then, you can do
index=myindex sourcetype=mytype abc=*
| append
[ datamodel Tutorial Client_errors index]
| stats values(abc) as abc values(src_ip) as src_ip values(dst_ip) as dst_ip by defThis way, you get
| def | abc | src_ip | dst_ip |
| def1 | aaa bbb ccc | 1.1.1.1 | 2.2.2.2 |
| def2 | bbb ddd fff | 1.2.1.1 | 2.1.2.1 |
| def3 | aaa | 1.2.3.4 | 2.4.6.8 |
If your search and desired output are different, there are other ways to accomplish your goal but you have to be specific.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @cshihua ,
you have to use a normal subsearch:
[ | datamodel Tutorial Client_errors index | fields index]
| ...Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to clarify what does "to get the index".. Do you mean to restrict the main search's index to values of index in the subsearch? If that, all you need to do is
[|datamodel Tutorial Client_errors index
| stats values(index) as index] <rest of your filters>- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi yuanliu & everyone,
The datamodel don't have the src and dest ip address, so I want to use the indexes return from datamodel and perform further search in the main search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The datamodel don't have the src and dest ip address, so I want to use the indexes return from datamodel and perform further search in the main search.
Do you mean you want to use additional data from that datamodel to enrich the main search? In that case, subsearch is the wrong tool. How you use datamodel will depend on what you want to do with this main search. (Here, let me lay out elements of an answerable question so you don't confuse volunteers in the future: Illustrate your dataset (or explain in detail), illustrate the desired output, explain the logic between illustrated data and desired output (without SPL). If you do illustrate sample SPL, illustrate actual output, too, then explain how it differs from desired output if it is not painfully obvious.)
Let me do a simple illustration. If your main search without datamodel is
index=myindex sourcetype=mytype abc=*
| stats values(abc) as abc by defsuppose it returns something like
| def | abc |
| def1 | aaa bbb ccc |
| def2 | bbb ddd fff |
| def3 | aaa |
and if your datamodel search returns src_ip, dst_ip, and def, like this:
| def | src_ip | dst_ip |
| def1 | 1.1.1.1 | 2.2.2.2 |
| def2 | 1.2.1.1 | 2.1.2.1 |
| def3 | 1.2.3.4 | 2.4.6.8 |
| def4 | 4.3.2.1 | 8.6.4.2 |
You want the additional fields associated with def to be shown. Then, you can do
index=myindex sourcetype=mytype abc=*
| append
[ datamodel Tutorial Client_errors index]
| stats values(abc) as abc values(src_ip) as src_ip values(dst_ip) as dst_ip by defThis way, you get
| def | abc | src_ip | dst_ip |
| def1 | aaa bbb ccc | 1.1.1.1 | 2.2.2.2 |
| def2 | bbb ddd fff | 1.2.1.1 | 2.1.2.1 |
| def3 | aaa | 1.2.3.4 | 2.4.6.8 |
If your search and desired output are different, there are other ways to accomplish your goal but you have to be specific.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
