Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Passing subsearch reporting command results to the outer search

oreoshake
Communicator
‎06-03-2010 11:47 PM 
 sourcetype=package_formatted [search sourcetype=package_formatted | stats dc(version) as version_test by name | search version_test>1 | fields name] | dedup host | stats values(version) by name

Basically what I'm trying to do is figure out which packages are installed and see if they are of consistent version numbers across the infrastructure. 

sourcetype=package_formatted | stats dc(version) as version_test by name | search version_test>1

Works fine, only returns the packages where more than one version exists, but I noticed the fields command at the end didn't have an effect (all fields were returned). But when I put it in the subsearch, I'm getting back "name"s which weren't in the subsearch.

So is a reporting function like stats ignored and only the raw results are used?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎06-04-2010 04:38 PM

The subsearch here never returns results or events to the outer search, it just adds search terms. Putting the fields command in the subsearch makes sure that the boolean expression that the subsearch emits looks like:

name=name_1 OR name=name_2 OR name=_name3 ...

As opposed to: (name=name_1 AND version_test=version_test1) OR (name=name_2 AND version_test=version_test2) ...

However, either way wouldn't cause the outer search to give "name"s not in the subsearch.

If you want to find the packages that are inconsistent and the hosts they are on, you probably don't even need the subsearch:

sourcetype=package_formatted | stats dc(version) as version_count values(version) as versions values(host) as hosts by name | search version_count>1 | fields - version_count

What would you like your final table of results to look like?

View solution in original post

Reply
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎06-04-2010 04:38 PM

The subsearch here never returns results or events to the outer search, it just adds search terms. Putting the fields command in the subsearch makes sure that the boolean expression that the subsearch emits looks like:

name=name_1 OR name=name_2 OR name=_name3 ...

As opposed to: (name=name_1 AND version_test=version_test1) OR (name=name_2 AND version_test=version_test2) ...

However, either way wouldn't cause the outer search to give "name"s not in the subsearch.

If you want to find the packages that are inconsistent and the hosts they are on, you probably don't even need the subsearch:

sourcetype=package_formatted | stats dc(version) as version_count values(version) as versions values(host) as hosts by name | search version_count>1 | fields - version_count

What would you like your final table of results to look like?

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...