×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
seemakurthy
New Member
Member since: ‎06-21-2019
‎06-05-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎06-21-2019
Activity Feed
View All

Re: Sub-search not yielding results in SQL

by in Splunk Search
‎07-11-2019 09:56 AM
‎07-11-2019 09:56 AM
Stop thinking SQL; try this: (index="cf-pci" cf_app_name="order-event-publisher*" "Posted event message for OrderId*") OR (index=pt-supply-chain-visibility sourcetype=scv-listener-oms:application:access "message.data.status"=processed) | rex "Posted event message for OrderId (?<OrderNo>[A-Z0-9]*), versionId (?<VerId>[0-9]*)" | eval return = colesce(OrdNo,message.data.domainId) . "/" . colesce(VerId, message.data.versionId) | stats dc(index) AS index_count values(index) AS index BY return | where index_count==1 ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM