I'm trying to use the results from a subsearch in the outer out search to pull info i'm looking for
right now it looks like this. But i'm stuck because it's not working.
host=list | search earliest=-8d@d latest=@d | table uniqueID "Last Name" | stats dc(Last Name) by uniqueID | rename dc(...
I need to take the "uniqueID" results and research those logs and pull different information. Any help would be awesome.
Hi Phynyte:
There are a couple of issues with your search - so let's talk troubleshooting and sub search first before worrying about what your search is actually doing.
The subsearch is executing independently of the outer search - so to test, you always want to take that code and run it separately, just to check for syntax errors so you don't go nuts wondering why things aren't working.
In this case, you are absolutely missing some key factors on both the inner and outer search. Unless your user role is super locked down to one index and one sourcetype you are basically asking Splunk to run all over the place and guess which ones you want, as long as that one host is involved. So you want to add index and or sourcetype for sure. Use wildcards if you like.
That said... search command belongs inside the square bracket. It is part of the sub search. So that is another reason why things are not running.
Your table command: table doesn't allow you to rename fields. I see what you are trying to do, but that's not the way to accomplish the rename.
That said... let's not pick apart your subsearch, because it isn't doing what I think you meant it to.
It looks like you are actually aiming for something more along the lines of Example 2 in the doc.
sourcetype=access* status=200 action=purchase [search sourcetype=access* status=200 action=purchase | top limit=1 clientip | table clientip] | stats count, dc(productId), values(productId) by clientip
Where a unique value is pulled from the index with the inner search (which runs first) and passed to the outer search which then does something with it.
In the end - when working with subsearch it's a good idea to: