Splunk Search

multisearch not allowing dedup individual search

arusoft
Communicator

I have two searches that I wanted to do some filtering before doing multisearch, Is that not possible?

my code looks something like below. 

 

| multisearch
[search index="XXX" | table Field1 Field2]
[search index="YYY" |  table Field11 Field22 |dedup Field11 Field22]
|table Field1 Field2 Field11 Field22

 

For this I am getting error message 

 

Error in 'multisearch' command: Multisearch subsearches might only contain purely streaming operations (subsearch 2 contains a non-streaming command).

 

 

Labels (1)
Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The dedup command is not allowed with multisearch.  You'll have to dedup after the multisearch or use append instead of multisearch.

---
If this reply helps you, Karma would be appreciated.

arusoft
Communicator

I tried to do the below way, but instead of getting  over 600k records, I am getting only around 80k records.  My goal is to simply to  add two searches and then process the result. Looks like its doing something else.

index="XXX" | table Field1 Field2 
|append extendtimerange=true  maxtime=60000 maxout=50000000 timeout=60000
[search index="YYY" |  table Field11 Field22 |dedup Field11 Field22]
|table Field1 Field2 Field11 Field22

 

0 Karma

PickleRick
Ultra Champion

Why don't you just do

index="XXX OR index="YYY"
| fields Field1 Field2 Field11 Field12
| fields - _raw
| dedup Field11 Field22
| table Field1 Field2 Field11 Field22

On the other hand, I don't understand why you "join" two distinct sets of fields and want to put them in one table. That doesn't make much sense.

So far you didn't tell us what you're trying to achieve and from what data, but only what you're doing so we can't help you achieve your desired result if we don't know what it is.

0 Karma

arusoft
Communicator

@PickleRick I am already doing what you suggested. My second search has lot of duplicate data. So I was thinking that deduping in advance would speed up overall search. If that is not the case then I will continue doing what you suggested. My end goal is to find max date from second search based on common columns and then display the same with main search. I already got help from this community is its working fine. Thank You. 

 

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...