sub search not working

csahoo · ‎11-05-2023

i want the sub query search result which is a list of tracking id in my main query in clause but none of them are working.
subquery and main working individually but after combining both it's not working, i tried with 3 different option but none of the below are working

1.
index="dockerlogs-silver" source="*gps-external-processor-prod*" "Handle 500 Server error" OR "Handle 4xx error" | where traceID IN ([search index="dockerlogs-silver" source="*gps-external-processor-prod*" "00012342231515417786" | stats values(traceID) as trackingID | eval trackingid="\"".mvjoin(trackingid,"\",\"")."\""])

2.
index="dockerlogs-silver" source="*gps-external-processor-prod*" "Handle 500 Server error" OR "Handle 4xx error" |where traceID IN ([search index="dockerlogs-silver" source="*gps-external-processor-prod*" "00012342231515417786" | stats values(traceID) as trackingid | table trackingid | stats values(eval("\"".trackingid."\"")) as search delim="," | nomv search])

3.
index="dockerlogs-silver" "Handle 500 Server error" OR "Handle 4xx error" |where traceID IN ([index="dockerlogs-silver" source="*gps-external-processor-prod*" "00012342231515417786" | stats values(traceID) | format]) |table traceID

ITWhisperer · ‎11-06-2023

Try something like this

index="dockerlogs-silver" source="*gps-external-processor-prod*" "Handle 500 Server error" OR "Handle 4xx error" | where traceID IN ([search index="dockerlogs-silver" source="*gps-external-processor-prod*" "00012342231515417786" | stats count by traceID
    | eval search="\"".traceID."\""
    | stats values(search) as search
    | eval search = mvjoin(search,",")])

sub search not working

development

other

using Splunk Cloud

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024