Splunk Search

Iterative subsearch (iterative OR search, at any rate)

howyagoin
Contributor

Looking for a sanity check here. I want to search my Splunk for a long list of field values (essentially, an OR for each value) and the best way to get that list of values is by searching for them.

So a subsearch seemed like the right path to travel, but yields no hits, so I'm unsure if that's my search or my data.

I've tried:

index=main [ search index=pp "item purchased" 
| rex field=_raw "obtained (?\w+)" 
| fields item ]

With and without a | format at the end (based on searching here for others tryign to do what I am trying to do), or changing my wildcard * search for item="*" and so on.

Basically, I want to find every occurrence in my Splunk for each item purchased. I'm sure this is easy to do, I'm just missing something obvious.

Tags (1)
1 Solution

sideview
SplunkTrust
SplunkTrust

Say there are three results in the subsearch, it will come out into the main search clause looking like:

index=main ( item=A OR item=B OR item=C )

And I suspect that you dont want to search for a field called 'item', but you instead want to just search for (A OR B OR C). This is a little clunky but how you do that in a Splunk subsearch is you rename the field to either 'search' or 'query'.

index=main [ search index=pp "item purchased" 
| rex field=_raw "obtained (?<item>\w+)" 
| fields item | rename item as search]

View solution in original post

sideview
SplunkTrust
SplunkTrust

Say there are three results in the subsearch, it will come out into the main search clause looking like:

index=main ( item=A OR item=B OR item=C )

And I suspect that you dont want to search for a field called 'item', but you instead want to just search for (A OR B OR C). This is a little clunky but how you do that in a Splunk subsearch is you rename the field to either 'search' or 'query'.

index=main [ search index=pp "item purchased" 
| rex field=_raw "obtained (?<item>\w+)" 
| fields item | rename item as search]

carasso
Splunk Employee
Splunk Employee

Yes, my bad. "| return -1 $item" will return "val1 OR val2 OR val3", while "| return -1 item" will return "item=val1 OR item=val2 OR item=val3"

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Based on the above discussion, I think that regarding carasso's answer, the return command should be

... | return -1 $item ...

rather than

... | return -1 item ...

which does what renaming the item field to search does.

0 Karma

carasso
Splunk Employee
Splunk Employee

simpler. replace the 'fields' and 'rename' with 'return', which also removes duplicates:

index=main [ search index=pp "item purchased"
| rex field=_raw "obtained (?\w+)"
| return -1 item]

0 Karma

howyagoin
Contributor

Great, Nick, thanks. By changing this to "as query" rather than "as search" the magic happened. From 0 hits to 81,000, just like that. Thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...