Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

question about sub search query

gudavasr
Path Finder
‎03-29-2012 04:00 PM

One of my query returns results like below:

sourcetype="centergrid_log" CG_JobStatus="Status is Error" |  table CG_DScg_session_id | rename CG_DScg_session_id  as worker_Sid

123456
234567
234567
345678

now, when I do subsearch:

sourcetype="worker_log" [search sourcetype="grid_log" CG_JobStatus="Status is Error" |  rename CG_DScg_session_id as worker_Sid | rename worker_Sid as search]

the results returned are matched to the first value of the column worker_Sid. But I want the results to match all the values of worker_Sid.
How can I do that?

I tried different ways from this document but no luck.
http://docs.splunk.com/Documentation/Splunk/4.3.1/User/HowSubsearchesWork

Particularly the last part..

Thank you.

Tags (1)
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎03-29-2012 09:41 PM

I would make some suggestions.

  1. Use | fields to limit the output of your subsearch to only the fields you want. In most subsearch cases, using the special search or query fields aren't necessary.

  2. Use the format command to see exactly how the results of your subsearch will be formatted. You can run this search:

    sourcetype="centergrid_log" CG_JobStatus="Status is Error"
    | fields CG_DScg_session_id | rename CG_DScg_session_id as worker_Sid
    | format

Which should give you an idea of exactly what is being emitted from the subsearch, and how it should fit into the parent search.

These are just some troubleshooting ideas - feedback appreciated.

Reply

gudavasr
Path Finder
‎03-30-2012 10:00 AM

It actually works..I was using "rename as search" hence it returned only one column..instead of many..
Thank You for your help

0 Karma
Reply

gudavasr
Path Finder
‎03-30-2012 09:17 AM

The above query shows the results exactly what I want i.e.,
it says the output as
(worker_Sid="1234567" or worker_Sid="2345678")
but when I use it as subsearch i.e.:
the parent query is searching only the first result i.e worker_Sid="1234567" it does not search worker_Sid="2345678".

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...