Splunk Search

Can a subsearch return only the value (without the fieldname)?

gkanapathy
Splunk Employee
Splunk Employee

(Copied from a legacy Splunk Forums post by user bpf)

Hello

I have the following problem:

  • I have a Name. With this Name I search the clID first.
  • Then I will search in several sources this clID-Value.

I have the following search:

index="myindex" [ index="myindex" host="myhost" <Name> | top limit=1 clID | fields + clID ]

The subsearch returns something like: ( (clID="0050834ja") )

Now, my problem is, that in the different sources the clID-Value appears in different fields. Is there a way that the subsearch return only the field-Value ("0050834ja") without the fieldname?

Thanks for your help. Bruno

1 Solution

gkanapathy
Splunk Employee
Splunk Employee

Yes. Do this:

index=myindex [ index=myindex host=myhost MyName | top limit=1 clID | fields + clID | rename clID as search ]

If the field is named search (or query) the field name will be dropped and the subsearch (or technically, the implicit |format command at the end of the subsearch) will drop the field name and return ( ( 0050834ja ) ). Multiple results will return, e.g., ( ( value1 ) OR ( value2 ) OR ( value3 ) ).

This is a special case only when the field is named either "search" or "query". Renaming your fields to anything else will make the subsearch use the new field names.

View solution in original post

markbarber21
Path Finder

Best practice is to return using the '$' dollar symbol before your field name | return $field_name at the end of your SubSearch.
This will return just the values, and not the field name.

index=myindex 
  [ index=myindex host=myhost MyName | top limit=1 clID | fields + clID | return $clID ]


(clID=val1 OR clID=val2 OR clID=val3)
becomes
(val1 OR val2 OR val3)

juanian
Engager

One more tidbit. I was having a problem with my multi-result subsearch only returning one value (to the main search) when I used the fieldname search. On a lark, I happened to try using the fieldname query (instead of search), and then my subsearch returned more than one value. I've tried and tried to find the difference between search and query mentioned in the documentation somewhere, but (so far) I've not had any luck. (Heck, the documentation for "format" doesn't even mention that it does anything special with fields named search or query - isn't that where it should be mentioned? There is that partial sentence (in the above answer and in the How Subsearches Work section) that says "Multiple results will return" - maybe that sentence was also supposed to mention the use of the fieldname query?)

Sorry - I've only been using Splunk for about a week, so I'm just in the learning phase at the moment. So far, I like Splunk - figuring out how to make use of its power has been the challenging part 🙂 .

gkanapathy
Splunk Employee
Splunk Employee

Yes. Do this:

index=myindex [ index=myindex host=myhost MyName | top limit=1 clID | fields + clID | rename clID as search ]

If the field is named search (or query) the field name will be dropped and the subsearch (or technically, the implicit |format command at the end of the subsearch) will drop the field name and return ( ( 0050834ja ) ). Multiple results will return, e.g., ( ( value1 ) OR ( value2 ) OR ( value3 ) ).

This is a special case only when the field is named either "search" or "query". Renaming your fields to anything else will make the subsearch use the new field names.

Paolo_Prigione
Builder

With v6.4, renaming the field to "search" only returns the first results. "query" works though:

`[makeresults count=5 | eval v=1 | accum v | rename v as query]`
 -->
 *normalizedSearch* = `litsearch ( ( 1 ) OR ( 2 ) OR ( 3 ) OR ( 4 ) OR ( 5 ) ) | ....`

dd_msearles
Path Finder

This really needs to be documented, massive thanks for the "query" suggestion.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Oops, well, not quite as it returns the first clID, not the top 1 clID, but that was more to make the point.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

As of version 4.3, you can also use the new return search command, which makes things easier to type. The above would be done as:

index=myindex [ index=myindex host=myhost MyName | return 1 $clID ]

See: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Return

jpwilliamsnw
Engager

This answer helped me out a lot super clean and simple and useful when you're stuck in a situation where you have to do other searches first to drive your data. Thank you!!!!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...