- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do you get around the subsearch limitation whe...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do you get around the subsearch limitation when defining events?
Hi Splunkers.
I am retrieving a field from JSON log file using rex, table and spath.
Although this runs fine as a standard query, I'm not be able to turn this into an eventtype due to the restriction on subsearches when defining an event type's query.
Here's my query:
index=my_index "lane" |rex "^(?:[^ \n]* ){7}(?P.+)"|table my_data|spath input=my_data | fields lane
I am trying to create an event type of "lane" from this but of course cannot due to the subquery limitation.
I'm sure there is a way around this limitation but I've not been able to find it.
Don't seem to have found anything similar post on here either.
How does one get the output of this into an eventtype??
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem is the pipes, not eventtypes. But let's back up. Why do you think you need an eventtype? What is your overall end goal?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem is the pipes, not eventtypes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The rules for an eventtype actually says
You cannot base an event type on a search that:
- Includes a pipe operator after a simple search.
- Includes a subsearch.
So you will need to remove ALL of the commands after the base search. First, the table and fields commands are adding nothing to your eventtype and can simply be deleted. The field extractions performed by the rex and spath commands should be coded into props.conf for the sourcetype. You will find some information about how to do this if you read the documentation for the spath and rex commands. Here is another list of references for field extraction.
Finally, why do you need an eventtype? Perhaps a macro would serve you better, as it does not have these restrictions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BTW, using Splunk v6.2.6
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
