Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

subsearch passing info

mcbradford
Contributor
‎02-24-2012 12:51 PM

I perform a serach that gives me a host name, but within the returned data the event does not contain the host_ip. Within the same index, a different type of event contains both values.

I think this can be done with a subsearch?

Is there any function within splunk to enrich the original event? Like a lookup?

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎02-26-2012 08:18 PM

Try this

<your original search> | join hostname [search sourcetype=<other event type> | fields + host_id ]
0 Karma
Reply

MarioM
Motivator
‎02-24-2012 01:37 PM

easier than subsearch would be :

 <your search>  hostname=* host_ip=*

as it will only return event containing value in hostname AND in host_ip

Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...