Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to develop a subsearch on multiple fields in the same sourcetype and have the results displayed in a table?

udaykor
New Member
‎09-26-2016 10:28 AM

Hi there,

What's the best way to search where I need to search from a CSV sourcetype file. I need to use multiple conditions

Here is how my current sample search looks like:

index=* sourcetype=csv "FirstSearchTerm" | search "text1" OR "text2" OR "text3"  OR "text4" OR "text5"  | replace "item1" WITH "Group1" in field5 | replace "item1" WITH "Group2" in field5  | replace "item3" WITH "Group1" in ield5 | replace "item4" WITH "Group1" in field5 | replace "item5" WITH "Group2" in field5 | dedup field1, field2, field3 | stats county by field2

How do I use subsearches on multiple fields in the same sourcetype and get the results from all the subsearches into a table?

Regards
Uday

0 Karma
Reply

aaraneta_splunk
Splunk Employee
Splunk Employee
‎10-23-2016 08:32 PM

Hi @udaykor - Did the answer provided by gokadroid help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

Reply

gokadroid
Motivator
‎10-09-2016 02:54 PM

Let me start with replacement first:

To replace item1 with Group1 in field5 try this:

yourBaseSearch
| rex mode=sed field=field5 "s/item1/Group1/g"
| complete yourSearch

To replace more than one items (item1 with Group1, item2 with Group2 and so on) in same field5 try this:



yourBaseSearch

| rex mode=sed field=field5 "s/item1/Group1/g

s/item2/Group2/g

s/item3/Group3/g"

| complete yourSearch

To replace data in more than one fields, try the sed mode with each field as below:



yourBaseSearch

| rex mode=sed field=field5 "s/item1/Group1/g"

| rex mode=sed field=field6 "s/item1/Group1/g"

| complete yourSearch

Your query since only wants to replace things in field5 (even though replacing item1 with Group1 first might not leave anything as item1 to be replaced to Group2 in the same field) but for the clarity sake I have included all replacements as are mentioned in the question:

index=* sourcetype=csv "FirstSearchTerm" 
| search "text1" OR "text2" OR "text3"  OR "text4" OR "text5"  
| rex mode=sed field=field5 "s/item1/Group1/g
s/item1/Group2/g
s/item3/Group1/g
s/item4/Group1/g
s/item5/Group2/g"
| dedup field1, field2, field3 
| stats count by field2

However if your question wants just how to do a search and a sub searches with results to show up in same table, then append them using append



yourBaseSearch

| append [search yourSubsearch ]

|table field1, field2

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...