Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Subsearch only returns 1 value

Thuan
Explorer
‎05-14-2014 10:39 AM

The search below produces multiple values for c_ip

index=proxy*
| fields c_ip s_op d_ip r_host d_port cs_bytes cs_uri referer c_agent
| lookup RedSkyIOCip-Proxy Indicator AS d_ip OUTPUT Source ReferenceAttribution
| search Source=RedSkyIOC
| table _time c_ip d_ip Source ReferenceAttribution cs_uri referer c_agent

When it is modified to become a subsearch as below, the subsearch only returns 1 value for c_ip. What is not working?

index=in_index
[ search index=proxy
| fields c_ip s_op d_ip r_host d_port cs_bytes cs_uri referer c_agent
| lookup RedSkyIOCip-Proxy Indicator AS d_ip OUTPUT Source ReferenceAttribution
| search Source=RedSkyIOC
| dedup c_ip
| rename c_ip AS s_ip
| return s_ip ]
| table _time s_ip d_ip d_port action | sort s_ip

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-14-2014 11:12 AM

The return command defaults to returning a single value. Try replacing it with a field command.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...