Splunk Search

using a subsearch in an outer search problem

Phynyte
New Member

I'm trying to use the results from a subsearch in the outer out search to pull info i'm looking for

right now it looks like this. But i'm stuck because it's not working.

host=list | search earliest=-8d@d latest=@d | table uniqueID "Last Name" | stats dc(Last Name) by uniqueID | rename dc(...

I need to take the "uniqueID" results and research those logs and pull different information. Any help would be awesome.

Tags (1)
0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

Hi Phynyte:

There are a couple of issues with your search - so let's talk troubleshooting and sub search first before worrying about what your search is actually doing.

The subsearch is executing independently of the outer search - so to test, you always want to take that code and run it separately, just to check for syntax errors so you don't go nuts wondering why things aren't working.

In this case, you are absolutely missing some key factors on both the inner and outer search. Unless your user role is super locked down to one index and one sourcetype you are basically asking Splunk to run all over the place and guess which ones you want, as long as that one host is involved. So you want to add index and or sourcetype for sure. Use wildcards if you like.

That said... search command belongs inside the square bracket. It is part of the sub search. So that is another reason why things are not running.

Your table command: table doesn't allow you to rename fields. I see what you are trying to do, but that's not the way to accomplish the rename.

That said... let's not pick apart your subsearch, because it isn't doing what I think you meant it to.

It looks like you are actually aiming for something more along the lines of Example 2 in the doc.

sourcetype=access* status=200 action=purchase [search sourcetype=access* status=200 action=purchase | top limit=1 clientip | table clientip] | stats count, dc(productId), values(productId) by clientip

Where a unique value is pulled from the index with the inner search (which runs first) and passed to the outer search which then does something with it.

In the end - when working with subsearch it's a good idea to:


  1. be as specific as you can about index, sourcetype etc for efficiency

  2. run each search independently to be sure they bring back data (hard code a value in the outer search to represent the sub search parameter)

  3. use the job inspector to see what Splunk is actually doing, so you know you're not sending Splunk in circles when you don't mean to... which is easy to do when using subsearch.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...