×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
JBMiller83
New Member
Member since: ‎09-16-2024
‎09-26-2024
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎09-16-2024
View All

Re: How to append search results but also filter o...

by in Splunk Search
‎09-26-2024 01:43 PM
‎09-26-2024 01:43 PM
So the best performing solution I could come up with was something like this: index=ind1 earliest=-1d field1=abc field2 IN ([search index=ind1 earliest=-1d "A" field1=xyz | stats count by field2 | fields field2 | rename field2 as query | format mvsep="" "" "" "" "" "" "" | replace "NOT ()" WITH ""]) | append [search index=ind1 earliest=-1d "A" field1=xyz]   This way, the parent query is running with the additional filtering provided by the subquery.  One thing I was wondering was whether the search results of "search index=ind1 earliest=-1d "A" field1=xyz" could be stored to not have to run it twice.  Is that possible? ... View more

Re: How to append search results but also filter o...

by in Splunk Search
‎09-17-2024 11:08 AM
‎09-17-2024 11:08 AM
That does seem like that would work as far as getting the results I want, though it leaves one of my issues unsolved.  The parent query "index=ind1 earliest=-1d field1=abc" returns many, many results without the inclusion of some filter on field2.  My initial approach (plus your fix for it) filter those results after that broad search is done which isn't great from a performance perspective.  Perhaps I'm better off just using a join at that point, not sure. Anyway, thanks for the reply 🙂 ... View more

Re: How to append search results but also filter o...

by in Splunk Search
‎09-17-2024 07:57 AM
‎09-17-2024 07:57 AM
Replied in the wrong thread, ignore! ... View more

How to append search results but also filter one q...

by in Splunk Search
‎09-16-2024 02:42 PM
‎09-16-2024 02:42 PM
Hello, I'm trying to write a query where I provide a key identifier (say "A"), and the query both finds matching results, but also uses a field from those results as a filter to another query that provides additional data that's needed.   Obfuscating some things, this is the idea, and the closest I've gotten: index=ind1 earliest=-1d field1=abc | append [search index=ind1 earliest=-1d "A" field1=xyz | rename field2 as f2] | where field2=f2 OR field1="xyz" The idea is that results where field1=xyz and contain "A" have another field, "field2", that is present and has a matching value when field1=xyz or field1=abc.  So I want to be able to search based "A" and get back results where field1=xyz or field1=abc where field2 matches between those 2 sets. I do think a join would probably work here, but I've heard there can be performance issues with that so I was trying to avoid that.  It seems to me that I can't use "where field2=f2", and it also seems the parent search is pulling in a lot of data because of the generally broad terms (I suppose because the piped where command is applied after the fact).  Any ideas of how to write this performantly? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎09-26-2024 07:41 PM