Solved: Is it possible to do a set command on a subsearch ...

nreilly · ‎10-06-2016

Greetings,

Is it possible to do sets of sets? e.g. (though this doesn't work)

| set diff [ | set intersect [search query | table fieldname] [search query | table fieldname ]] [search query | table fieldname]

where all queries would be returning a single column of names as strings as fieldname

If it's possible, any hints for syntax?

Thanks!

inventsekar · ‎10-06-2016

Edit - i verified this and its working fine.

previously i updated it's not possible.
As the doc says, the set command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.

View solution in original post

inventsekar · ‎10-06-2016

Edit - i verified this and its working fine.

previously i updated it's not possible.
As the doc says, the set command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.

Is it possible to do a set command on a subsearch that already uses a set command?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!