Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

"Unknown search command" with subsearch

chrlshrnbrgr
New Member
‎03-13-2013 08:11 AM

I'm stumbing over subsearches.

In our system, app server logs contain an SID (session ID). It's trivial to find all (valid/known) SIDs for a given account with:

SID!=SID_UNKNOWN sourcetype=unicorn account="customer@example.com" | top SID | table SID

I can also break down the status codes easily:

sourcetype=unicorn HTTP_CODE>=400 | top HTTP_CODE

But I can't figure out how to put the two together using a subsearch. If I try:

sourcetype=unicorn HTTP_CODE>=400 | top HTTP_CODE [ SID!=SID_UNKNOWN sourcetype=unicorn account="customer@example.com" | top SID | table SID ]

I get:

Unknown search command 'sid'.

What am I missing here?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-13-2013 08:13 AM

You need to call a command first, such as "search". For the main query that is prepended by default. Something like this:

... [search SID=...

I'm not sure what you want to do though, since you're passing the result of the subsearch to the top command, which doesn't support this.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-13-2013 10:30 AM

top limit=1000 or top limit=0, but yes, dedup is better if you don't need the ranking and percentages, since it doesn't have to sort or accumulate the total.

0 Karma
Reply
Solved! Jump to solution

jonuwz
Influencer
‎03-13-2013 08:54 AM

"It's trivial to find all" - top does not return all the SIDS.

[ ... | fields SID | dedup SID ]

will

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-13-2013 08:13 AM

You need to call a command first, such as "search". For the main query that is prepended by default. Something like this:

... [search SID=...

I'm not sure what you want to do though, since you're passing the result of the subsearch to the top command, which doesn't support this.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-13-2013 08:52 AM

You don't the | at the start of the subsearch. It's implicit, which is why there's an error in the first place.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-13-2013 08:28 AM

Take a look at the return command in the splunk docs as well.

0 Karma
Reply
Solved! Jump to solution

chrlshrnbrgr
New Member
‎03-13-2013 08:25 AM

Thanks, I figured out the same by looking thru other questions tagged with subsearch. Here's what I ended up with:

sourcetype=unicorn HTTP_CODE>=400 [ | search SID!=SID_UNKNOWN sourcetype=unicorn account=customer@example.com | top SID | table SID ] | top HTTP_CODE
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...