cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
bosseres1
Engager
Member since: ‎08-15-2022
‎08-16-2022
Community Statistics
Posts 4
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎08-15-2022
Activity Feed
View All

Re: Subsearch problem

by in Splunk Search
‎08-16-2022 02:09 AM
‎08-16-2022 02:09 AM
I think I understood and the thing is that subsearch generates more than 10000 results, main search can't perform them all. ... View more

Re: Subsearch problem

by in Splunk Search
‎08-16-2022 01:55 AM
‎08-16-2022 01:55 AM
I've tried it, but not works. Though in Index1 there is an event, containing same Logon_ID that I'm trying to find in Index2.  ... View more

Re: Subsearch problem

by in Splunk Search
‎08-16-2022 01:47 AM
‎08-16-2022 01:47 AM
yes, I need to get main search with such condition  index="2" EventCode=4662 AND (Condition="1" OR Condition="2") AND (Logon_ID="1" OR Logon_ID="2") where (Logon_ID="1" OR Logon_ID="2") are taken from subsearch ... View more

Subsearch problem- Why am I only receiving 1 value...

by in Splunk Search
‎08-16-2022 01:23 AM
‎08-16-2022 01:23 AM
Hello everyone, asking your help with my subsearch query. I need to find events in index="1", take from it Logon_ID, and run search query in another one index (index="2"). My current search index="2" EventCode=4662 AND (Condition="1" OR Condition="2") [ search index="1" EventCode=4624 Logon_Type=3 | eval Logon_ID=lower(Logon_ID) | eval Logon_ID=mvindex(Logon_ID,-1) | fields Logon_ID] It doesn't work, as I understand main search runs only by 1 Logon_ID, though in index1 there are many Logon_ID values. What could be the reason? Thank you. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎08-16-2022 08:10 AM
Karma given to
View All