Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Passing subsearch reporting command results to the outer search

oreoshake
Communicator
‎06-03-2010 11:47 PM 
 sourcetype=package_formatted [search sourcetype=package_formatted | stats dc(version) as version_test by name | search version_test>1 | fields name] | dedup host | stats values(version) by name

Basically what I'm trying to do is figure out which packages are installed and see if they are of consistent version numbers across the infrastructure. 

sourcetype=package_formatted | stats dc(version) as version_test by name | search version_test>1

Works fine, only returns the packages where more than one version exists, but I noticed the fields command at the end didn't have an effect (all fields were returned). But when I put it in the subsearch, I'm getting back "name"s which weren't in the subsearch.

So is a reporting function like stats ignored and only the raw results are used?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎06-04-2010 04:38 PM

The subsearch here never returns results or events to the outer search, it just adds search terms. Putting the fields command in the subsearch makes sure that the boolean expression that the subsearch emits looks like:

name=name_1 OR name=name_2 OR name=_name3 ...

As opposed to: (name=name_1 AND version_test=version_test1) OR (name=name_2 AND version_test=version_test2) ...

However, either way wouldn't cause the outer search to give "name"s not in the subsearch.

If you want to find the packages that are inconsistent and the hosts they are on, you probably don't even need the subsearch:

sourcetype=package_formatted | stats dc(version) as version_count values(version) as versions values(host) as hosts by name | search version_count>1 | fields - version_count

What would you like your final table of results to look like?

View solution in original post

Reply
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎06-04-2010 04:38 PM

The subsearch here never returns results or events to the outer search, it just adds search terms. Putting the fields command in the subsearch makes sure that the boolean expression that the subsearch emits looks like:

name=name_1 OR name=name_2 OR name=_name3 ...

As opposed to: (name=name_1 AND version_test=version_test1) OR (name=name_2 AND version_test=version_test2) ...

However, either way wouldn't cause the outer search to give "name"s not in the subsearch.

If you want to find the packages that are inconsistent and the hosts they are on, you probably don't even need the subsearch:

sourcetype=package_formatted | stats dc(version) as version_count values(version) as versions values(host) as hosts by name | search version_count>1 | fields - version_count

What would you like your final table of results to look like?

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...