Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: search within a sub-search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
search within a sub-search
I have been working on a search for a table view, what I want is to be able to see the results from this search from two different time frames o the same table, the first time frame brings back the results correctly; when I use the search command to run the same search with a different time frame to display it on the table is when things don't seem to be going well. This is the search:
index="XXX" sourcetype="XXX" host=$host1$ earliest=-37d@d latest=-30d@d action="drop" OR action=blocked | top limit=20 src | append [search index="XXX" sourcetype="XXXX" host=$host1$ earliest=-7d@d latest=now action="drop" OR action=blocked | top limit=20 src ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, the only problem is that on the table I can't see both fields (src), the one from seach 1 and the other one from serch.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you didn't table src, is that the problem?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if you can see _time,_raw and host all you need is to add src field to the table
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What exactly is the issue you're having? You should be able to do this without a problem.
I do exactly this pretty often - the only immediate difference I notice is that you don't have quotations around $host1$. Try that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like you are checking the search events , can you try this and check in the statistics tab?
index="XXX" sourcetype="XXX" host=$host1$ earliest=-37d@d latest=-30d@d action="drop" OR action=blocked | top limit=20 src |table _time,host,_raw| append [search index="XXX" sourcetype="XXXX" host=$host1$ earliest=-7d@d latest=now action="drop" OR action=blocked | top limit=20 src |table _time,host,_raw]
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
