×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
chrlshrnbrgr
New Member
Member since: ‎03-13-2013
‎06-05-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎03-13-2013
Activity Feed
View All

Re: "Unknown search command" with subsearch

by in Splunk Search
‎03-13-2013 08:25 AM
‎03-13-2013 08:25 AM
Thanks, I figured out the same by looking thru other questions tagged with subsearch. Here's what I ended up with: sourcetype=unicorn HTTP_CODE>=400 [ | search SID!=SID_UNKNOWN sourcetype=unicorn account=customer@example.com | top SID | table SID ] | top HTTP_CODE ... View more

"Unknown search command" with subsearch

by in Splunk Search
‎03-13-2013 08:11 AM
‎03-13-2013 08:11 AM
I'm stumbing over subsearches. In our system, app server logs contain an SID (session ID). It's trivial to find all (valid/known) SIDs for a given account with: SID!=SID_UNKNOWN sourcetype=unicorn account="customer@example.com" | top SID | table SID I can also break down the status codes easily: sourcetype=unicorn HTTP_CODE>=400 | top HTTP_CODE But I can't figure out how to put the two together using a subsearch. If I try: sourcetype=unicorn HTTP_CODE>=400 | top HTTP_CODE [ SID!=SID_UNKNOWN sourcetype=unicorn account="customer@example.com" | top SID | table SID ] I get: Unknown search command 'sid'. What am I missing here? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM