Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Use subsearch result as fulltext search in out...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to use the result value of a subsearch as a fulltext (or wildcard) search in the outer search. I have a subsearch like this:
servertype=abc "some search terms" | fields correlation_id
and now I want to use the resulting correlation ids to find other entries, but these entries do not have a dedicated correlation_id field, it is just somewhere inside the text, so this is not working
servertype=xyz "some other seach terms" [search servertype=abc "some search key" | fields correlation_id]
because splunk is searching for a correlation_id field, which does not exist.
This is a very simplified example, but I hope you get my problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, this is funky but it works:
... | eval raw=_raw | search [search servertype=abc "some search terms" | eval raw= "*" . correlation_id . "*" | fields raw]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use this:
servertype=xyz "some other seach terms" [search servertype=abc "some search key" | fields correlation_id | rename correlation_id as search]
as stated here:
http://docs.splunk.com/Documentation/Splunk/latest/Search/Changetheformatofsubsearchresults
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had to use ..... | rename correlation_id as query]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, this is funky but it works:
... | eval raw=_raw | search [search servertype=abc "some search terms" | eval raw= "*" . correlation_id . "*" | fields raw]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great, now it works. Thank you very much!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This should work (but performance will be slow)
[servertype=abc "some search terms" | eval _raw = "*" . correlation_id . "*" | fields _raw]
But for some reason it does not and I don't know why!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Further testing is also strange:
|noop | stats count | eval _raw="*972*" | fields _raw | format
|noop | stats count | eval raw="*972*" | fields raw | format | replace "*raw*" with "*_raw*"
These should both create a field called search with value ( ( _raw="*972*" ) ) but they don't.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
