- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I assign an extracted field from a subsearc...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a search from which I extracted field A. In the second search, how do I assign A to be the source of the second search?
For example :
I am using the below query:
index=something host=somevalue source=something/something/something/something/A B [search eventtype=somevalue | table A | dedup A | fields + A] | table B
From the above query what I am expecting is :
My subsearch will return field A.
My outer search will use field A as a source in which I will get result B .
Please help me out with this.
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
*UPDATED*
index=something host=somevalue [search eventtype=somevalue | table A | dedup A | eval A="x/x/x/x/".A | rename A as source ] | table B
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you expect single value for field A or multiple?
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want to search the values stored in field A from internal search as strings in your outer search and then tabulate the field B in outer search then give this a try please (Notice I have removed plain B from this search in outer search:
index=something host=something source=x/x/x/A
[search index=something host=something source=y/y/y/y | table A | dedup A | return 10000 $A ]
| table B
Here both A and B are field names. In your comment's example, searching for a field B just by placing the field name B in outer search won't help which I quote below:
index=something host=something source = x/x/x/A B [search index=something host=something source=y/y/y/y | table A | dedup A | fields + A ] | table B
It should be B=something in the outer search of your comment.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
*UPDATED*
index=something host=somevalue [search eventtype=somevalue | table A | dedup A | eval A="x/x/x/x/".A | rename A as source ] | table B
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Sundareshr thanks!
I used your updated query and got exactly what I want the source to be in my outer query. But unfortunately it is still resulting in 0 events. Please help if you have any other way out!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much for showing me the correct path. The only change I did is I added fields + A and then renamed A as source as suggested by you and it worked magically . Thank you very very much.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
