hello, my problem is:
when I type the query in the search bar, such as:
source="number.txt"
it will so like that:
Number UV count 1 avc 11 2 bbb 13 3 ddd 14 . . . . .
How can I get the string value inside this ? such as: only bbb (string)
because I want to use this string value bbb to do the subsearch
I can filter to only see bbb in the result but i can't use the actual truth string value
to do the comparison in subsearch
may be i want to do like this in sql:
select * from table 1 where uv=(select uv from table2)
Is your "bbb" value being automatically extracted as a field? If not, try to extract it as a field first before performing the search. See http://www.splunk.com/base/Documentation/4.1.3/User/ExtractNewFields for more info.
Let's assume you have the field with the possible "bbb" value extracted as custom_field. Here is how you would pass this value from a subsearch to the outer search:
* [search source=numbers.txt | fields + custom_field | dedup custom_field | format]
Here is what this search will do:
source=numbers.txt
)fields + custom_field
)dedup custom_field
)format
)*
). Of course this could also be any number of search criteria.Try running just the subsearch source=numbers.txt | fields + custom_field | dedup custom_field | format
by itself to see what the output of the format command is.
For more info on subsearches see http://www.splunk.com/base/Documentation/4.1.3/User/HowSubsearchesWork
[Edit]
In response to your comment, modify the search as follows to only receive the value from the subsearch, no parenthesis or anything else:
* [search source=numbers.txt | fields + custom_field | dedup custom_field | rename custom_field as search | format "" "" "" "" "" ""]
I edited my original answer to answer the question you posed in your comment..
Is your "bbb" value being automatically extracted as a field? If not, try to extract it as a field first before performing the search. See http://www.splunk.com/base/Documentation/4.1.3/User/ExtractNewFields for more info.
Let's assume you have the field with the possible "bbb" value extracted as custom_field. Here is how you would pass this value from a subsearch to the outer search:
* [search source=numbers.txt | fields + custom_field | dedup custom_field | format]
Here is what this search will do:
source=numbers.txt
)fields + custom_field
)dedup custom_field
)format
)*
). Of course this could also be any number of search criteria.Try running just the subsearch source=numbers.txt | fields + custom_field | dedup custom_field | format
by itself to see what the output of the format command is.
For more info on subsearches see http://www.splunk.com/base/Documentation/4.1.3/User/HowSubsearchesWork
[Edit]
In response to your comment, modify the search as follows to only receive the value from the subsearch, no parenthesis or anything else:
* [search source=numbers.txt | fields + custom_field | dedup custom_field | rename custom_field as search | format "" "" "" "" "" ""]
Hello... when I type source="number.txt"|where NO=1|fields + UV|dedup UV|format
and then it shows the result like that:
((UV="U13_V4200_02"))
But when I add the [search ........]
it also can not put the value to the outler search
I have a question that can i get the result like that:
U13_V4200_02
that means only have the string and do not have (( )) and ""
Hi sony_1688,
it looks like you have some raw text data here and I hope i got your question right.
What I would suggest here is to use a filed extraction for the value bbb (i.e. myField).
Have a look here how to use field extraction:
http://www.splunk.com/base/Documentation/4.1.3/User/ExtractNewFields
Then use a search that includes myField="bbb" in the subsearch to filter your data.
Hope that helps!
Cheers,
Christian
Firstly, thank you for your help. And I can do myField="bbb" in this way. But my problem is, when I using subsearch, the problem like that
myField="[sources="Number.txt" where Number="1"]"
I can not do like this.Because the value that I need which is dynamic according to that subsearch