- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How could we use one search results in another se...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How could we use one search results in another search using subsearch query?
Query :
index="heroku_secure_uat" host="messaging-service-uat.herokuapp.com" [search event_name=email OR event |where NOT LIKE(person_id,"%WF%")| stats dc(person_id)]| rex "(?\{.*)" | spath input=json_data
Result :
172cd733-beec-490f-8f53-dbe68166bb33
3874287d5dfb468187f5a42251214d15
40c5778a-152c-40db-bf85-24c8aec427de
5678c76c-e689-4712-a8fb-85e5e0c5097f
618bd8ea-59dc-485f-a0a3-908adb804443
6618bb54-73fd-4d13-b2e2-72e18171a904
6f196d9397a64b0cb62196efd1d82309
724ad888-cbd4-483f-91b3-01a95809ad7b
9bd90012-f4e8-4bc2-b149-d63219aab343
9e9f0ec6-899e-43a8-b1e3-ca158516b6fe
WF-172cd733-beec-490f-8f53-dbe68166bb33\u0026token=-YIg4amu7FD76T2XGfd2-w
WF-5678c76c-e689-4712-a8fb-85e5e0c5097f\u0026token=CycW6z87l5wFBjPlSQ2anQ
WF-5678c76c-e689-4712-a8fb-85e5e0c5097f\u0026token=fqlqHuY284bpCU180o3jLw
WF-5678c76c-e689-4712-a8fb-85e5e0c5097f\u0026token=hDLTqEqQwAabP5bXaqajJA
WF-5678c76c-e689-4712-a8fb-85e5e0c5097f\u0026token=jU7sWgFiyNJ6DeYFp5kkhA
WF-5678c76c-e689-4712-a8fb-85e5e0c5097f\u0026token=ta-NduNrMOUGqjbPUMbACA
WF-bdd32edb-7ec0-43ca-9457-2fe6f74c294a\u0026token=aE1qDEBT0AE0tneHlyHecA
b800274d-d134-48d9-973f-0c9361a615a6
bdd32edb-7ec0-43ca-9457-2fe6f74c294a
I need to use this above result again in same query to get those records count which are not starting with "WF-".
Please suggest .
Any help will be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's not a subquery, it's just a simple filter on your existing results. somesoni2 gave you one way. You would just add those last two lines on the end of your query, changing YourFieldName to match the actual field name.
One thing - please mark your code when you post it, for instance with the code button 101 010, so that the interface will not strip out html-like parts of your code.
However, I really don't believe that code got that result. It should be more like this...
index="heroku_secure_uat" host="messaging-service-uat.herokuapp.com"
event_name=email OR event
| rex "(?<json_data>{.*)"
| spath input=json_data
| where NOT like(person_id,"%WF%")
| table person_id
...and there's something vaguely wrong with the second line event_name=email OR event
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this
your current search
| where NOT like(YourFieldName,"WF-%")
| stats count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@somesoni2
I have updated my post.
I have got above result by executing posted query and now I need to filter those records which are not starting with "WF-".
It should be like subquery but not sure how to do this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you just want to filter records which do not start with "WF-" (assuming that's a field whose value is used for filtering), then you can just include the where clause from my answer. Be sure to update the YourFieldName with actual field name. Since you're filtering within same resultset, you don't need a subsearch. If this is not the case may be explain more, may be some sudo code depicting your requirement.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so you want to add these results into a subquery or you want to filter out the WF- results and add the others to the subquery? what are you adding the subquery to? you can just add |format to the end of your query above and encase the whole search in square brackets and it will format it how you need.
index=newIndex [search index="heroku_secure_uat" host="messaging-service-uat.herokuapp.com" [search event_name=email OR event |where NOT LIKE(person_id,"%=%")| stats dc(person_id)]| rex "(?{.*)" | spath input=json_data|format]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@cmerriman
When I run your query . It gives below error:
Error in 'rex' command: Encountered the following error while compiling the regex '(?{.*)': Regex: unrecognized character after (? or (?-
Regards.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@cmerriman
I want to filter out those results which are not starting from "WF-".
Thanks.
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
