- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to get the values inside search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello, my problem is:
when I type the query in the search bar, such as:
source="number.txt"
it will so like that:
Number UV count 1 avc 11 2 bbb 13 3 ddd 14 . . . . .
How can I get the string value inside this ? such as: only bbb (string)
because I want to use this string value bbb to do the subsearch
I can filter to only see bbb in the result but i can't use the actual truth string value
to do the comparison in subsearch
may be i want to do like this in sql:
select * from table 1 where uv=(select uv from table2)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is your "bbb" value being automatically extracted as a field? If not, try to extract it as a field first before performing the search. See http://www.splunk.com/base/Documentation/4.1.3/User/ExtractNewFields for more info.
Let's assume you have the field with the possible "bbb" value extracted as custom_field. Here is how you would pass this value from a subsearch to the outer search:
* [search source=numbers.txt | fields + custom_field | dedup custom_field | format]
Here is what this search will do:
- The search inside [] will be done first
- Search only source numbers.txt (
source=numbers.txt) - Retain only the custom_field field (
fields + custom_field) - Remove duplicates from the custom_field field (
dedup custom_field) - Pass the values of custom_field to the outer search (
format) - Search everything that has the custom field values our subsearch returned (
*). Of course this could also be any number of search criteria.
Try running just the subsearch source=numbers.txt | fields + custom_field | dedup custom_field | format by itself to see what the output of the format command is.
For more info on subsearches see http://www.splunk.com/base/Documentation/4.1.3/User/HowSubsearchesWork
[Edit]
In response to your comment, modify the search as follows to only receive the value from the subsearch, no parenthesis or anything else:
* [search source=numbers.txt | fields + custom_field | dedup custom_field | rename custom_field as search | format "" "" "" "" "" ""]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I edited my original answer to answer the question you posed in your comment..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is your "bbb" value being automatically extracted as a field? If not, try to extract it as a field first before performing the search. See http://www.splunk.com/base/Documentation/4.1.3/User/ExtractNewFields for more info.
Let's assume you have the field with the possible "bbb" value extracted as custom_field. Here is how you would pass this value from a subsearch to the outer search:
* [search source=numbers.txt | fields + custom_field | dedup custom_field | format]
Here is what this search will do:
- The search inside [] will be done first
- Search only source numbers.txt (
source=numbers.txt) - Retain only the custom_field field (
fields + custom_field) - Remove duplicates from the custom_field field (
dedup custom_field) - Pass the values of custom_field to the outer search (
format) - Search everything that has the custom field values our subsearch returned (
*). Of course this could also be any number of search criteria.
Try running just the subsearch source=numbers.txt | fields + custom_field | dedup custom_field | format by itself to see what the output of the format command is.
For more info on subsearches see http://www.splunk.com/base/Documentation/4.1.3/User/HowSubsearchesWork
[Edit]
In response to your comment, modify the search as follows to only receive the value from the subsearch, no parenthesis or anything else:
* [search source=numbers.txt | fields + custom_field | dedup custom_field | rename custom_field as search | format "" "" "" "" "" ""]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello... when I type source="number.txt"|where NO=1|fields + UV|dedup UV|format
and then it shows the result like that:
((UV="U13_V4200_02"))
But when I add the [search ........]
it also can not put the value to the outler search
I have a question that can i get the result like that:
U13_V4200_02
that means only have the string and do not have (( )) and ""
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi sony_1688,
it looks like you have some raw text data here and I hope i got your question right.
What I would suggest here is to use a filed extraction for the value bbb (i.e. myField).
Have a look here how to use field extraction:
http://www.splunk.com/base/Documentation/4.1.3/User/ExtractNewFields
Then use a search that includes myField="bbb" in the subsearch to filter your data.
Hope that helps!
Cheers,
Christian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Firstly, thank you for your help. And I can do myField="bbb" in this way. But my problem is, when I using subsearch, the problem like that
myField="[sources="Number.txt" where Number="1"]"
I can not do like this.Because the value that I need which is dynamic according to that subsearch
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
