- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to check a certain (not _raw) field value matc...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By default, when we append a subsearch to a search, it looks for events which _raw field value matches one of the value returned by the subsearch.
Is there a way to check that a certain field value (not _raw like above) matches one of the values returned by the subsearch?
I tried the below, by appending host= to my subsearch results, to force searching on the field host, and nothing else, but it didn't work.
mysearch [mysubsearch|fields host|eval host="host=".host]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
mysearch [mysubsearch|fields host|eval host="host=".host | return $$host]
OR
mysearch [mysubsearch|fields host|eval search="host=".host | table search]
Updated
mysearch [mysubsearch|table host | format ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found a solution... which seems unefficient, but works:
mysearch |join host [mysubsearch|fields host]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
mysearch [mysubsearch|fields host|eval host="host=".host | return $$host]
OR
mysearch [mysubsearch|fields host|eval search="host=".host | table search]
Updated
mysearch [mysubsearch|table host | format ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Either
mysearch [ mysubsearch | return 10000 host ]
or in this particular case:
mysearch [ mysubsearch | fields host ]
are the shortest and simplest. You don't need table or field with return. You don't need format because it's implicitly done at the end of a subsearch. You use 10,000 to set the max number of values to be considered. (The default is 1, only the first host will be considered.) In your original question, you didn't mention that you might have mutiple values.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I might overlooked the scenario where there will be multiple hosts. You can give the updated answer a try (will be faster than join)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But thanks for help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
None of these solutions work.
No clue what the first one does, plenty of events from wrong hosts are returned in the end.
The second one is very close to my first attempt, but like it, doesn't work. The subsearch produces the output anticipated, but the main one is missing the events from many hosts which should have been included.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
