Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

pass a subsearch result to the head command

proylea
Contributor
‎12-15-2015 05:36 PM

I am trying to pass the numeric result of a subsearch to the head command with no success, can anyone see what I am doing wrong?

The following query returns a count of 3

index=starx error | fieldformat count=count/2 | stats count

I want to use that query as a subsearch result for the head command like this

index=starx error | head [ search index=starx error | fieldformat count=count/2 | stats count ]

But get no result found

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎12-15-2015 06:13 PM

Hi proylea,

if you want to pass a value to the head command you must return only a value form the subsearch, but you're currently returning count=somenumber. Do get back only a value from the subsearch run this run everywhere search 

  index=_internal error | head [ search index=_internal error | stats count | rename count AS search ]

This will rename the count field to a search field, which will just come back as a value. This way head can use it.

Hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution

jplumsdaine22
Influencer
‎12-16-2015 04:44 AM

If you want to avoid using a subsearch altogether you could do something like this:

index=starx error | streamstats count as total_results | eventstats p50(count) as average | eval keep=count-average | search keep>0

This avoids any limitations in the subsearch if your index is very large, and saves you from running the index=starx search twice.

0 Karma
Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎12-15-2015 06:13 PM

Hi proylea,

if you want to pass a value to the head command you must return only a value form the subsearch, but you're currently returning count=somenumber. Do get back only a value from the subsearch run this run everywhere search 

  index=_internal error | head [ search index=_internal error | stats count | rename count AS search ]

This will rename the count field to a search field, which will just come back as a value. This way head can use it.

Hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

proylea
Contributor
‎12-15-2015 07:25 PM

Finally got it!

index=starx error | head [ search index=starx error | stats count | eval total=round(count/2) | rename total AS search ]
Reply
Solved! Jump to solution

proylea
Contributor
‎12-15-2015 06:53 PM

Hi MuS
With your query both the base search and the subsearch returns the same count, hence the head value returned is not divided by 2.

Regards
Peter

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎12-15-2015 07:06 PM

Sorry my bad, ignore the second example. Look at the provided first example and tweak it to your needs.

0 Karma
Reply
Solved! Jump to solution

proylea
Contributor
‎12-15-2015 07:11 PM

Cheers, I still can't work out how to divide the count by 2 to return the result?

0 Karma
Reply
Solved! Jump to solution

proylea
Contributor
‎12-15-2015 07:26 PM

Thanks for your help MuS with the rename AS search

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...