Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Users subsearch in event type not working
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
arrowecssupport
Communicator
11-29-2019
08:55 AM
This is my search I am trying to use in an event type so I can tag my events.
index = mail
| eval Subject=coalesce(Subject,subjectx)
| search
Subject = "*NVEM Battery Alert*"
But i get this error? "Message: Eventtype search string cannot be a search pipeline or contain a subsearch"
How would I achieve my search without the subsearch
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
woodcock
Esteemed Legend
11-29-2019
11:13 AM
Like this:
index="mail" AND (Subject="*NVEM Battery Alert*" OR subjectx="*NVEM Battery Alert*")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
woodcock
Esteemed Legend
11-29-2019
11:13 AM
Like this:
index="mail" AND (Subject="*NVEM Battery Alert*" OR subjectx="*NVEM Battery Alert*")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
arrowecssupport
Communicator
12-04-2019
01:06 AM
However, if I want to run multiple searches against lots of subjects, how can I make this more elegant.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
arrowecssupport
Communicator
12-06-2019
04:37 AM
I ended up creating an alias which did the job for me 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
woodcock
Esteemed Legend
12-04-2019
02:46 AM
Use the field IN("value1", "value2", ... , "valueZ") syntax
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
arjunpkishore5
Motivator
11-29-2019
10:16 AM
Can you post the whole query ? Or is this it ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
arrowecssupport
Communicator
12-04-2019
01:05 AM
This is it?
Did you miss .conf21 Virtual?
Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!
Catch Up Now >>
Get Updates on the Splunk Community!
