Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Users subsearch in event type not working
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
arrowecssupport
Communicator
11-29-2019
08:55 AM
This is my search I am trying to use in an event type so I can tag my events.
index = mail
| eval Subject=coalesce(Subject,subjectx)
| search
Subject = "*NVEM Battery Alert*"
But i get this error? "Message: Eventtype search string cannot be a search pipeline or contain a subsearch"
How would I achieve my search without the subsearch
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
woodcock
Esteemed Legend
11-29-2019
11:13 AM
Like this:
index="mail" AND (Subject="*NVEM Battery Alert*" OR subjectx="*NVEM Battery Alert*")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
woodcock
Esteemed Legend
11-29-2019
11:13 AM
Like this:
index="mail" AND (Subject="*NVEM Battery Alert*" OR subjectx="*NVEM Battery Alert*")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
arrowecssupport
Communicator
12-04-2019
01:06 AM
However, if I want to run multiple searches against lots of subjects, how can I make this more elegant.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
arrowecssupport
Communicator
12-06-2019
04:37 AM
I ended up creating an alias which did the job for me 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
woodcock
Esteemed Legend
12-04-2019
02:46 AM
Use the field IN("value1", "value2", ... , "valueZ") syntax
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
arjunpkishore5
Motivator
11-29-2019
10:16 AM
Can you post the whole query ? Or is this it ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
arrowecssupport
Communicator
12-04-2019
01:05 AM
This is it?
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for
Giving Your Review!
It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!
Review:
SOAR (f.k.a. Phantom) >>
Enterprise Security >>
Splunk Enterprise or Cloud for Security >>
Observability >>
Or Learn More in Our Blog >>
