Hi Splunk friends, looking for some help in this use case
i'm trying to use results from a subsearch to feed a search, however;
1) subsearch is results of a regex pull
2) i would like the results to be treated as ORs, not ANDs
example:
sourcetype="error log" "SOAP Request before sending" [search sourcetype="error log" specific_error_code | rex field=_raw "AccountID(?\d+)/AccountID" | fields + A1 | rename A1 as search]
i want to use the results from the field that i named A1 to feed into my main search but as OR statements, not ANDs
What you are trying to do won't work with the multiple values as you have it. You need to try something a little differently
sourcetype="error log" "SOAP Request before sending" [search sourcetype="error log" specific_error_code | rex field=_raw "AccountID(?\d+)/AccountID" | stats count by A1 | fields + A1 | format "(" "" "" "OR" "" ")" | eval search =replace(search, "A1=", "")]
What you are trying to do won't work with the multiple values as you have it. You need to try something a little differently
sourcetype="error log" "SOAP Request before sending" [search sourcetype="error log" specific_error_code | rex field=_raw "AccountID(?\d+)/AccountID" | stats count by A1 | fields + A1 | format "(" "" "" "OR" "" ")" | eval search =replace(search, "A1=", "")]
Hi rjthibod, your response is much appreciated. i've tried that and does not work
i reviewed this page: http://docs.splunk.com/Documentation/Splunk/4.3.7/User/HowSubsearchesWork#Result_output_settings_for...
however the examples is not really working (or i'm not understanding how to use properly)
First, post your response as a comment to the answer, not as a new answer. It makes it harder for people to track things.
Seconds, I just realized what you are getting at. Will update my original response with a new solution.
noted 😃 (still new to the forums)
Am trying to get better at Splunk, going through the pains of syntax and methodology, so i really do appreciate your follow up
Cheers!
moved the comment to the correct position for you.
See new answer above.
Hi rjthibod, after seeing your example, tried it, received an error (tried my best to understand the query analyzer but i'm not quite there yet)
read up on what format did and what replace did and tried this way as the native result of format is always OR and it worked!!
sourcetype="error log" "SOAP Request before sending" [search sourcetype="error log" specific_error_code | rex field=_raw "AccountID(?\d+)/AccountID" | stats count by A1 | fields + A1 | format | eval search =replace(search, "A1=", "")]
many thanks for leading me down the right path!!
@eddychuah - Please accept rjhibod's updated answer so that folks will know your issue has been solved. In general, you can also upvote any comments or answers that you found particularly helpful, any time you want, on your own question or anyone else's.
This is not important on this question, but that's one way you can reward people for helpful information or workable answers that didn't happen to be the best one, or when you didn't post the question, but were just reading it several months later!