Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why two searches work separately, but subsearch leads to no results?

kkas
Path Finder
‎06-09-2015 06:54 AM

Beginner here,

I've been trying to practice subsearching, but I've come across a problem I couldn't figure out how to get around. So I'm trying to search source A and find the top IP corresponding with the net-id. This search works when I do it separately and outputs an IP address. From there I want to search through another source type for info corresponding with this IP address. My full search looks like this 

search source=B [search source=A net_id=Alpha| dedup ip|top limit=1 ip| fields ip]

If I manually enter the ip like so: search source=B "___.___._.___" <- (same numbers that output if I search source=A net_id=Alpha|dedup ip|top limit=1 ip|fields ip ) it outputs expected results, but if I try and do it in one go like its written above using a subsearch, I get no results. Any ideas?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎06-09-2015 06:58 AM

With subsearches, by default fields matter. Your subsearch is actually outputting something more like

( ip = 1.2.3.4 )

So the assumption is that source "B" has a field named ip, with a value of 1.2.3.4. You can rename the output field from the subsearch to match the source "B" fields, or you can tell the subsearch to output the field "naked" by renaming the output field ip to query. See http://docs.splunk.com/Documentation/Splunk/6.2.3/Search/Changetheformatofsubsearchresults

View solution in original post

Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎06-09-2015 06:58 AM

With subsearches, by default fields matter. Your subsearch is actually outputting something more like

( ip = 1.2.3.4 )

So the assumption is that source "B" has a field named ip, with a value of 1.2.3.4. You can rename the output field from the subsearch to match the source "B" fields, or you can tell the subsearch to output the field "naked" by renaming the output field ip to query. See http://docs.splunk.com/Documentation/Splunk/6.2.3/Search/Changetheformatofsubsearchresults

Reply
Solved! Jump to solution

kkas
Path Finder
‎06-09-2015 07:03 AM

Thanks so much for the quick reply!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...