Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

multisearch not allowing dedup individual search

arusoft
Communicator
‎01-26-2022 12:18 PM

I have two searches that I wanted to do some filtering before doing multisearch, Is that not possible?

my code looks something like below. 

 

| multisearch
[search index="XXX" | table Field1 Field2]
[search index="YYY" |  table Field11 Field22 |dedup Field11 Field22]
|table Field1 Field2 Field11 Field22

 

For this I am getting error message 

 

Error in 'multisearch' command: Multisearch subsearches might only contain purely streaming operations (subsearch 2 contains a non-streaming command).

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-26-2022 01:27 PM

The dedup command is not allowed with multisearch.  You'll have to dedup after the multisearch or use append instead of multisearch.

---
If this reply helps you, Karma would be appreciated.
Reply

arusoft
Communicator
‎01-27-2022 05:59 AM

I tried to do the below way, but instead of getting  over 600k records, I am getting only around 80k records.  My goal is to simply to  add two searches and then process the result. Looks like its doing something else.

index="XXX" | table Field1 Field2 
|append extendtimerange=true  maxtime=60000 maxout=50000000 timeout=60000
[search index="YYY" |  table Field11 Field22 |dedup Field11 Field22]
|table Field1 Field2 Field11 Field22

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-27-2022 06:09 AM

Why don't you just do

index="XXX OR index="YYY"
| fields Field1 Field2 Field11 Field12
| fields - _raw
| dedup Field11 Field22
| table Field1 Field2 Field11 Field22

On the other hand, I don't understand why you "join" two distinct sets of fields and want to put them in one table. That doesn't make much sense.

So far you didn't tell us what you're trying to achieve and from what data, but only what you're doing so we can't help you achieve your desired result if we don't know what it is.

0 Karma
Reply

arusoft
Communicator
‎01-27-2022 07:59 AM

@PickleRick I am already doing what you suggested. My second search has lot of duplicate data. So I was thinking that deduping in advance would speed up overall search. If that is not the case then I will continue doing what you suggested. My end goal is to find max date from second search based on common columns and then display the same with main search. I already got help from this community is its working fine. Thank You. 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...