Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use subsearch result as fulltext search in outer search

woezelmann
Engager
‎07-10-2015 12:22 AM

Is it possible to use the result value of a subsearch as a fulltext (or wildcard) search in the outer search. I have a subsearch like this:

servertype=abc "some search terms" | fields correlation_id

and now I want to use the resulting correlation ids to find other entries, but these entries do not have a dedicated correlation_id field, it is just somewhere inside the text, so this is not working

servertype=xyz "some other seach terms" [search servertype=abc "some search key" | fields correlation_id]

because splunk is searching for a correlation_id field, which does not exist.

This is a very simplified example, but I hope you get my problem.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-10-2015 01:06 PM

OK, this is funky but it works:

 ... | eval raw=_raw | search [search servertype=abc "some search terms" | eval raw= "*" . correlation_id . "*" | fields raw]

View solution in original post

Reply
Solved! Jump to solution

marcoscala
Builder
‎03-17-2016 04:52 AM

Use this:

servertype=xyz "some other seach terms" [search servertype=abc "some search key" | fields correlation_id | rename correlation_id as search]

as stated here:
http://docs.splunk.com/Documentation/Splunk/latest/Search/Changetheformatofsubsearchresults

Reply
Solved! Jump to solution

606866581
Path Finder
‎07-27-2018 06:11 AM

I had to use ..... | rename correlation_id as query]

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-10-2015 01:06 PM

OK, this is funky but it works:

 ... | eval raw=_raw | search [search servertype=abc "some search terms" | eval raw= "*" . correlation_id . "*" | fields raw]
Reply
Solved! Jump to solution

woezelmann
Engager
‎07-13-2015 08:38 AM

Great, now it works. Thank you very much!

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-10-2015 06:50 AM

This should work (but performance will be slow)

[servertype=abc "some search terms" | eval _raw = "*" . correlation_id . "*" | fields _raw]

But for some reason it does not and I don't know why!

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-10-2015 08:47 AM

Further testing is also strange:

|noop | stats count | eval _raw="*972*" | fields _raw | format
|noop | stats count | eval raw="*972*" | fields raw | format | replace "*raw*" with "*_raw*"

These should both create a field called search with value ( ( _raw="*972*" ) ) but they don't.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...