Splunk Search

question about sub search query

gudavasr
Path Finder

One of my query returns results like below:

sourcetype="centergrid_log" CG_JobStatus="Status is Error" |  table CG_DScg_session_id | rename CG_DScg_session_id  as worker_Sid

123456
234567
234567
345678

now, when I do subsearch:

sourcetype="worker_log" [search sourcetype="grid_log" CG_JobStatus="Status is Error" |  rename CG_DScg_session_id as worker_Sid | rename worker_Sid as search]

the results returned are matched to the first value of the column worker_Sid. But I want the results to match all the values of worker_Sid.
How can I do that?

I tried different ways from this document but no luck.
http://docs.splunk.com/Documentation/Splunk/4.3.1/User/HowSubsearchesWork

Particularly the last part..

Thank you.

Tags (1)
0 Karma

dwaddle
SplunkTrust
SplunkTrust

I would make some suggestions.

  1. Use | fields to limit the output of your subsearch to only the fields you want. In most subsearch cases, using the special search or query fields aren't necessary.

  2. Use the format command to see exactly how the results of your subsearch will be formatted. You can run this search:

    sourcetype="centergrid_log" CG_JobStatus="Status is Error"
    | fields CG_DScg_session_id | rename CG_DScg_session_id as worker_Sid
    | format

Which should give you an idea of exactly what is being emitted from the subsearch, and how it should fit into the parent search.

These are just some troubleshooting ideas - feedback appreciated.

gudavasr
Path Finder

It actually works..I was using "rename as search" hence it returned only one column..instead of many..
Thank You for your help

0 Karma

gudavasr
Path Finder

The above query shows the results exactly what I want i.e.,
it says the output as
(worker_Sid="1234567" or worker_Sid="2345678")
but when I use it as subsearch i.e.:
the parent query is searching only the first result i.e worker_Sid="1234567" it does not search worker_Sid="2345678".

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...