Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

question about sub search query

gudavasr
Path Finder
‎03-29-2012 04:00 PM

One of my query returns results like below:

sourcetype="centergrid_log" CG_JobStatus="Status is Error" |  table CG_DScg_session_id | rename CG_DScg_session_id  as worker_Sid

123456
234567
234567
345678

now, when I do subsearch:

sourcetype="worker_log" [search sourcetype="grid_log" CG_JobStatus="Status is Error" |  rename CG_DScg_session_id as worker_Sid | rename worker_Sid as search]

the results returned are matched to the first value of the column worker_Sid. But I want the results to match all the values of worker_Sid.
How can I do that?

I tried different ways from this document but no luck.
http://docs.splunk.com/Documentation/Splunk/4.3.1/User/HowSubsearchesWork

Particularly the last part..

Thank you.

Tags (1)
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎03-29-2012 09:41 PM

I would make some suggestions.

  1. Use | fields to limit the output of your subsearch to only the fields you want. In most subsearch cases, using the special search or query fields aren't necessary.

  2. Use the format command to see exactly how the results of your subsearch will be formatted. You can run this search:

    sourcetype="centergrid_log" CG_JobStatus="Status is Error"
    | fields CG_DScg_session_id | rename CG_DScg_session_id as worker_Sid
    | format

Which should give you an idea of exactly what is being emitted from the subsearch, and how it should fit into the parent search.

These are just some troubleshooting ideas - feedback appreciated.

Reply

gudavasr
Path Finder
‎03-30-2012 10:00 AM

It actually works..I was using "rename as search" hence it returned only one column..instead of many..
Thank You for your help

0 Karma
Reply

gudavasr
Path Finder
‎03-30-2012 09:17 AM

The above query shows the results exactly what I want i.e.,
it says the output as
(worker_Sid="1234567" or worker_Sid="2345678")
but when I use it as subsearch i.e.:
the parent query is searching only the first result i.e worker_Sid="1234567" it does not search worker_Sid="2345678".

0 Karma
Reply
Get Updates on the Splunk Community!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Announcing the General Availability of Splunk Enterprise Security 8.1!

We are pleased to announce the general availability of Splunk Enterprise Security 8.1. Splunk becomes the only ...

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...
Top