Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

multi value fields in subsearch to join become single value in parent

bowesmana
SplunkTrust
SplunkTrust
‎03-25-2018 08:54 PM

I have a subseqrch to a join that returns a multivalued field. However, when that's put into a table in the parent search, it becomes a single value field... Just wondered why and how to deal with it

index=web (host=X cs_uri_stem=/login status=500) OR (host=Y cs_uri_stem=/subrequest)
| stats list(cs_uri_stem) as Path list(status) as Status count by Correlation_Id
| where count=2
| join Correlation_Id [ search index=application (Level=Error OR Level=Warning) 
| stats values(Message) as Message by Correlation_Id | eval d=mvcount(Message) ]
| eval c=mvcount(Message)
| table Correlation_Id, Path, Status, Message, c, d

In the subsearch d is set to the count of the mv field items and is generally 2 or 3, but in the outer search c becomes 1 and the resultant text field is shown as a single piece of text with all messages concatenated.

How can I keep the mv field status from the subsearch. The outer search has no field called Message.

0 Karma
Reply

HiroshiSatoh
Champion
‎03-25-2018 10:00 PM

You are using a field that does not exist. Please review the search sentence.

| stats list(cs_uri_stem) as Path list(status) as Status count by Correlation_Id
⇒Correlation_Id,Path ,Status ,count

| join Correlation_Id [ search index=application (Level=Error OR Level=Warning)
| stats values(Message) as Message by Correlation_Id
⇒Correlation_Id ,Message

| eval d=mvcount(Template) ]
⇒Correlation_Id ,Message  ※Template does not exist

| eval c=mvcount(Template)
⇒Correlation_Id,Path ,Status ,count ,Message ※Template does not exist

| table Correlation_Id, Path, TimeTaken, Status, Template, c, d
⇒Correlation_Id, Path, TimeTaken(※NULL), Status, Template(※NULL), c(※NULL), d(※NULL)

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎03-26-2018 09:21 PM

Duh - sorry - there was me trying to simplify the query from the original - only did half a job - basically Message was Template - hope that clarifies. Thanks for the pick

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...