Solved: How do you perform a sub search over indexes?

Marinus · ‎09-06-2011

I've recently split up my data into indexes and some of my searches that make use of sub searches are now breaking.

For example I previously did a

tag::host=esb* [search TestService | fields + transaction_id] | transaction transaction_id

To cater for the index change I did

index=test tag::host=esb* [search TestService | fields + transaction_id] | transaction transaction_id

No luck, I even stuck an index into the subsearch with no results.

What is the correct syntax?

Marinus

Marinus · ‎09-09-2011

I found a workaround. I'm using the internal index as an example.

index=_internal [search index=_internal | head 1000 | fields + user] | transaction user

View solution in original post

Marinus · ‎09-09-2011

I found a workaround. I'm using the internal index as an example.

index=_internal [search index=_internal | head 1000 | fields + user] | transaction user

Ayn · ‎09-06-2011

I assume you want the subsearch to go against the test index as well. The subsearch runs on its own and returns its results to the outer search, so any search parameters you add to the outer search do not affect the subsearch. Add index=test in the subsearch instead and have it return what index it's operating on to the outer search so that it uses the same index. Llike this:

tag::host=esb* [search index=test TestService | fields transaction_id,index] | transaction transaction_id

How do you perform a sub search over indexes?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life