Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: use a result value, as fieldname in subsearch
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a first search, that return "system1"
Then I want to use that value, to get the appropriate value out of a subsearch timechart :
first restult :
system
system1
second result :
system1 system2 system3
_time 1 2 3
_time 4 5 4
_time 4 4 4
How could I do that ?
is there a way to put the first result in a parameter, that could be used in the subsearch as fieldname ?
index=myfirstquery | table system | subsearch [ _time=$_time$ | eval myValue=fieldName[$system$]]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you might be able to turn it around, making the so-called first search the subsearch;
second_search_terms [search first_search_terms | dedup system | fields + system] | further_processing
search_terms would be stuff like earliest / latest, index, sourcetype etc.
The idea is that the inner search will (via the fields + command) only return the field system, so that the outer search will effectively look like;
second_search_terms (system=aaa OR system=bbb or system=ccc) | further_processing
I think that this is what you're after.
EDIT: Fixed a typo
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you might be able to turn it around, making the so-called first search the subsearch;
second_search_terms [search first_search_terms | dedup system | fields + system] | further_processing
search_terms would be stuff like earliest / latest, index, sourcetype etc.
The idea is that the inner search will (via the fields + command) only return the field system, so that the outer search will effectively look like;
second_search_terms (system=aaa OR system=bbb or system=ccc) | further_processing
I think that this is what you're after.
EDIT: Fixed a typo
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
well, return and fields are pretty similar in effect
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know pretty well how subsearch work, that doesn't help, but maybe is return what I'm searching for
http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Return
I think change subsearch order like Kristian suggested + return function should do the job
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Read up on how subsearches work. http://docs.splunk.com/Documentation/Splunk/5.0.2/Tutorial/Useasubsearch
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure if this is bringing me further, where did you pass the fieldname to the second search part ?
If one of the search is returning "system1" as result, I have to read the content of the "system1" field in the second part...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can never pass variables from outer searches to subsearches, because subsearches run before outer searches and as such cannot read values that haven't been extracted/evaluated in the outer searches yet.
[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...
