Splunk Search

Subsearch: Returning the results from the subsearch and outer/primary search simultaneously.

metersk
Path Finder

Is it possible to return the results from a subsearch alongside the results of the outer/primary search?

[search earliest=-14d@d latest=-0d@d (ns=email msg=send gender=f  tid=*74) OR (msg=eis direction=sent gender=f) | transaction uid startswith=(msg="eis") maxspan=60m | eval emailsReceived = eventcount - 1 | where emailsReceived > 15 | fields uid] earliest=-14d@d latest=-0d@d ns=email msg=email_unsub_click | stats count by msg

Of course, I can run the subsearch portion as a separate query, but it would be nice to return the results along side the outer search. Is this possible?

1 Solution

ngatchasandra
Builder

Hi metersk,

Try with appendcols command like this :

`Your primary search' | join  [search earliest=-14d@d latest=-0d@d (ns=email msg=send gender=f  tid=*74) OR (msg=eis direction=sent gender=f) | transaction uid startswith=(msg="eis") maxspan=60m | eval emailsReceived = eventcount - 1 | where emailsReceived > 15 | fields uid] earliest=-14d@d latest=-0d@d ns=email msg=email_unsub_click | stats count by msg  |appendcols  [search earliest=-14d@d latest=-0d@d (ns=email msg=send gender=f  tid=*74) OR (msg=eis direction=sent gender=f) | transaction uid startswith=(msg="eis") maxspan=60m | eval emailsReceived = eventcount - 1 | where emailsReceived > 15 | fields uid]

View solution in original post

ngatchasandra
Builder

Hi metersk,

Try with appendcols command like this :

`Your primary search' | join  [search earliest=-14d@d latest=-0d@d (ns=email msg=send gender=f  tid=*74) OR (msg=eis direction=sent gender=f) | transaction uid startswith=(msg="eis") maxspan=60m | eval emailsReceived = eventcount - 1 | where emailsReceived > 15 | fields uid] earliest=-14d@d latest=-0d@d ns=email msg=email_unsub_click | stats count by msg  |appendcols  [search earliest=-14d@d latest=-0d@d (ns=email msg=send gender=f  tid=*74) OR (msg=eis direction=sent gender=f) | transaction uid startswith=(msg="eis") maxspan=60m | eval emailsReceived = eventcount - 1 | where emailsReceived > 15 | fields uid]

dwaddle
SplunkTrust
SplunkTrust

Um, "maybe", depending on your exact use case.

The canonical use case for a subsearch is to define a filter for the outer search. The subsearch runs and its output is transmogrified (via the format command) into SPL. So the output of a subsearch looks something like:

(  ( uid = AAA ) OR ( uid = BBB ) OR ( uid = CCC ) )

The output of the subsearch text-replaces the [ $SUBSEARCH ] part of the outer search. This isn't exactly useful for you "as search results" because it's been transformed. And because of the text-replacement approach, the subsearch MUST run to completion before the outer search can begin.

For some use cases with subsearches - where you're not trying to use a subsearch as a filter for the primary search, you might find the multisearch command useful:

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multisearch

This lets you run multiple searches in parallel and return results simultaneously. However, as I understand your use case above this is probably not that useful in this example.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...