Solved: subsearch breaks on different index? subsearch for...

Alex_Megremis · ‎01-27-2011

Hi all,

I have

index01

which has all the web server log data that I'm interested in.

I have

index02

which has parsed a CSV containing configuration values (in this case peak period start and end hours), as well as timestamp and version columns

If I run

index="index01"                    // I have also tried including here     OR index="index02"
eventtype="myIndex01EventType" 
time_hour > [search 
                index="index02" 
                "KEY_NAME" 
                | sort VERSION DATE 
                | head 1 
                | fields VALUE
                | rename VALUE as time_hour  // I have tried renames to "query" and "search"
                | convert num(time_hour)]    // I have tried without the convert

I get

Error in 'UnifiedSearch': Unable to parse the 'Invalid RHS for comparison' search.

The subsearch, if run on its own, returns a single event, with a single field called time_hour and a value of 5.

I've tried a many variants of this, but my brain is turning to mush.

My closest suspicion is that the subsearch return is somehow incompatible with the comparison (as the message indicates), be it for syntax or semantics.

In case it's not clear, I'm trying to build a search to retrieve events based on, among other things, a peak/off-peak time bracket that's defined in a monitored CSV, and indexed in

index02

Any help would be greatly appreciated.

Thank you.

jrodman · ‎01-27-2011

subsearches don't emit a number, but typically a field state. So conceptually you're saying time_hour > time_hour=x, which is where the search falls down.

There's an alternate way to get search information out of a subsearch, which is to manually construct the magic field 'search', while optionally hiding other constraining fields.

http://answers.splunk.com/questions/3471/using-a-subsearch-to-get-the-time-of-an-event

So you could set the search field in your subsearch to the value of time_hour, or simply construct the string " time_hour > hh" inside the subsearch and store it into the search field.

View solution in original post

jrodman · ‎01-27-2011

subsearches don't emit a number, but typically a field state. So conceptually you're saying time_hour > time_hour=x, which is where the search falls down.

There's an alternate way to get search information out of a subsearch, which is to manually construct the magic field 'search', while optionally hiding other constraining fields.

http://answers.splunk.com/questions/3471/using-a-subsearch-to-get-the-time-of-an-event

So you could set the search field in your subsearch to the value of time_hour, or simply construct the string " time_hour > hh" inside the subsearch and store it into the search field.

Alex_Megremis · ‎01-28-2011

That worked like a charm. Thank you.

subsearch breaks on different index? subsearch for date_hour greater than

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

subsearch breaks on different index? subsearch for date_hour greater than

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25