cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
thanchen
Explorer
Member since: ‎10-11-2019
‎06-08-2023
Community Statistics
Posts 8
Solutions 0
Karma Given 4
Karma Received 0
Member Since ‎10-11-2019
Activity Feed
View All

Re: How to use subsearch without a field name? (bu...

by in Splunk Search
‎06-07-2023 03:27 AM
‎06-07-2023 03:27 AM
The answer is already in the link, sorry I didn't read it carefully at the begining, the discusstion with Giuseppe lead to the same solution. <your_main_search> [ search <your_secondary_search> | eval search="(\"" + field1 + "\" AND \"" + field2 + "\")" | stats values(search) AS searches | eval search=mvjoin(searches, " OR ") | fields search ]   ... View more

Re: How to use subsearch without a field name? (bu...

by in Splunk Search
‎06-07-2023 03:11 AM
‎06-07-2023 03:11 AM
Looks by doing below, it could cover the case that have multi rows results in subsearch. <your_main_search> [ search <your_secondary_search> | eval search="(\"" + field1 + "\" AND \"" + field2 + "\")" | stats values(search) AS searches | eval search=mvjoin(searches, " OR ") | fields search ] ... View more

Re: How to use subsearch without a field name? (bu...

by in Splunk Search
‎06-07-2023 02:42 AM
‎06-07-2023 02:42 AM
Thanks @isoutamo , this one works, but only work for one row output in subsearch but in real world, we may need more than one row results in subseach, just like the official document shows: (val1_1 AND val1_2) OR (val2_1 AND val2_2) https://docs.splunk.com/Documentation/Splunk/8.2.6/Search/Changetheformatofsubsearchresults cc: @gcusello  ... View more

Re: How to use subsearch without a field name? (bu...

by in Splunk Search
‎06-07-2023 02:20 AM
‎06-07-2023 02:20 AM
My example in only a Minimal, Reproducible Example val1 and val2 comes from two fields field1 and field2 Use the subsearch two times should be a workaround, but if I want three or more, I believe there should be a solution. And I tried `| rex mode=sed field=search "s/(field1|field2)=//g"` at the end of subsearch, no luck. ... View more

Re: How to use subsearch without a field name? (bu...

by in Splunk Search
‎06-07-2023 01:50 AM
‎06-07-2023 01:50 AM
Hi Giuseppe, I tried this, it only gives me `premakeresults 1 ( ( val1_1 ) )` I need `premakeresults 1 ( ( val1_1 AND val1_2 ) )` ... View more

How to use subsearch without a field name? (but ju...

by in Splunk Search
‎06-07-2023 01:03 AM
‎06-07-2023 01:03 AM
Here is the document, but how? https://docs.splunk.com/Documentation/Splunk/8.2.6/Search/Changetheformatofsubsearchresults       Using the query field name Use the query field name when you want the values in the fields returned from the subsearch, but not the field names. The query field name is similarly to using the format command. Instead of passing the field and value pairs to the main search, such as: (field1=val1_1 AND field2=val1_2) OR (field1=val2_1 AND field2=val2_2) Using the query field name passes only the values: (val1_1 AND val1_2) OR (val2_1 AND val2_2)       When rename one fields as query, got `remoteSearch premakeresults 1 ( ( field2="val1_2" AND val1_1 ) )` in inspect job log's remoteSearch. What I want is `remoteSearch premakeresults 1 ( ( "val1_2" AND val1_1 ) )`     | makeresults 1 [ | makeresults 1 | eval field1="val1_1" | eval field2="val1_2" | fields field1 field2 | rename field1 AS query ```| rename field2 AS query``` ]     Below post only rename one field as query. https://community.splunk.com/t5/Splunk-Search/How-to-use-subsearch-without-a-field-name-but-just-with-field/m-p/449282   @woodcock sorry to bother you, seeing a lot of high quality answers from you, seeking your help here. ... View more
Labels

Re: Can one do less than greater than comparisons ...

by in Splunk Search
‎10-12-2019 03:15 AM
‎10-12-2019 03:15 AM
I have tried this, but with no luck. Seems that inputlookup's where clause can only filter it's own fields, my _time field was from before join. My current solution is like: search something | join type=left max=0 product_id [ | inputlookup http_status | table effective_start_date, effctive_end_date, price ] | where (_time>effective_start_date) AND (_time<effective_end_date) ... View more

Re: Can one do less than greater than comparisons ...

by in Splunk Search
‎10-11-2019 11:41 PM
‎10-11-2019 11:41 PM
My situation is a little different, not IP range but time range for price。I‘m looking for something like this: ... | lookup price ( _time>effective_start_date AND _time<effctive_end_date) outputnew price AS history_price Unfortunately, this doesn't match lookup syntax. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-08-2023 08:20 AM
Karma given to
View All