- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I edit my search so if my subsearch return...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index="test" [search index="test_summary" key_field="y" | head 1 | eval search = "_time>" . _time | fields search]
| table a,b,c
I have to return everything under "test" where _time>_time of y_summary. This search works fine as long as there is something under test_summary with key_field="y".
But, if there are no events returned by the sub search, my main search should return all the items in the index="test"
How do I get it working.. I have been on this for a day now.. with very little progress to show..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
index="test" [search index="test_summary" key_field="y" | head 1 | eval earliest=_time | append [ | makeresults | eval earliest=0] | head 1 | return earliest ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi rmuraly,
You should avoid sub searches, because they are slow and will hit limits as soon as you put real data volumes through them. Try a simple conditional eval on this:
index="test" OR index="test_summary"
| eval y_time=if(index="test_summary" AND key_field="y", _time, 0)
| stats max(y_time) AS y_time max(_time) as _time by _time (add any other fields needed further down the pipe ...)
| where _time > y_time
| do more splunk-fu here ....
This may or may not provide a solution to you, but it for sure shows a way to go. You can read more on this topic in this answer https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo... or in the March session of the Virtual .conf here http://wiki.splunk.com/Virtual_.conf
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
index="test" [search index="test_summary" key_field="y" | head 1 | eval earliest=_time | append [ | makeresults | eval earliest=0] | head 1 | return earliest ]
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
