Splunk Search

Use the result from the subsearch to a main search

thenormalone
Path Finder

In one of the search strings, I have an event from which i extract the correlation ids and in turn want to search through there correlation ids to get an event which has a text in from of the correlation id (eg: abc: <correlation_Id>.

 

when I try 

index=ind1 [search sttring 1 | table correlationId], the log which has the string of "abc: <correlation_Id>" is not coming back. But if i search for one of the correlationIds from the table I get that event.

 

I'm not sure what I'm doing wrong here. That event I'm trying to get has a string "abc" in front and I feel like that's causing the results to not come back.

Labels (4)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

You should add rename correlation_id as search into sub search e.g. https://community.splunk.com/t5/Splunk-Search/Can-a-subsearch-return-only-the-value-without-the-fiel...

Also it’s more efficient to replace table with fields as then this search will run on indexers instead of search head.

r. Ismo

View solution in original post

swong_splunk
Splunk Employee
Splunk Employee

Try adding the | format command in the subsearch

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/FORMAT

This command takes the results of a subsearch, formats the results into a single result and places that result into a new field called search.

index=ind1
[search sttring 1
| table correlationId
| format]

0 Karma

thenormalone
Path Finder

well if I'm not mistaken that gives me 

index=ind1 "correlation-id=<correlation_Id>" 

 

so it still isn't giving me that event which has the format "abc: <correlation_Id>"

0 Karma

isoutamo
SplunkTrust
SplunkTrust

You should add rename correlation_id as search into sub search e.g. https://community.splunk.com/t5/Splunk-Search/Can-a-subsearch-return-only-the-value-without-the-fiel...

Also it’s more efficient to replace table with fields as then this search will run on indexers instead of search head.

r. Ismo

View solution in original post