Search

Min1025 · ‎07-24-2018

Hi all, I have below query and the results like below table, is there a way that only search and display total count for the Users who have error(User1, User2, User3)? index=aaa sourcetype=...

gjcwilliams · ‎03-27-2019

...ith this approach is that there is a join row limit and with my dataset being so large it is not feasible as there is far more Process Events than the join limit. The next approach I had was to use subsearch...

gavinsopra · ‎05-27-2020

My first subsearch – and its not going well. I have two queries I need to combine to get a single results table. My first query finds how many changes there have been and when the most recent c...

jackstephenson9 · ‎11-05-2018

I'm trying to sort smartsheets by certain combinations of row/column values. If I remove one of the 'foreach' blocks, the search works, outputting a new field. With both, however, the search returns ...

ccsfdave · ‎02-06-2015

...ourcetype=ironport mailto=%form_var% which will result in a fields that I can use (icid) to then find the mailfrom field. So I am thinking about a subsearch like: index=email sourcetype=i...

Glasses · ‎09-10-2019

Need some advice writing a subsearch... I have an index=email with two sourcetypes sourcetype=MTA sourcetype=MSG both contain a field with a common value that ties the msg and mta logs t...

kushagra9120 · ‎08-05-2018

index="internal" user!=admin | [search index="internal" | stats count by user] I am trying to run above query but it fails with an error that "Error in 'SearchParser': Subsearches are only valid a...

sistemistiposta · ‎12-16-2015

Hello, I would like to run a scheduled report once. A very log time search, I don't care about performance or time to complete. I set in local limits.conf [subsearch] # maximum number of r...

clincg · ‎08-20-2010

..." only returns about 300 results, but the subsearch is searching across millions of users accounts. If I removed the sub search, the outer search only takes a few seconds to complete. Does a...

splunkin11 · ‎08-30-2016

...n the metadata results but I need to have them show in the final results. I was thinking a subsearch would work but it fails to match up all the records. I only get about 20 matching records but it d...

Search

Search the Community

Question about subsearch

Splunk Subsearch / Join / Combine event query assi...

Issues adding columns from a subsearch

What is the best way to go about using multiple ev...

Subsearch input

How to write an efficient subsearch with or withou...

unable to sun subsearch

How to increase subsearch maxout limit?

Subsearch Performance Optimization

metadata used in subsearch