Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Use subsearch result as filter

kennethyeung
New Member
‎10-31-2017 05:17 AM

I have 2 indexes. 1 index has the price with product code
Another index has product code and product name

the subsearch is below:

index=product code=1
| lookup code.csv product_code as code OUTPUT product_name as product_name
| dedup product_name| fields product_name ]

it will return the product name , however if i use as subsearch, it will say no result

index=price [search index=product code=1
| lookup code.csv product_code as code OUTPUT product_name as product_name
| dedup product_name| fields product_name ]

Actually, I want to filter name = subsearch result as well

0 Karma
Reply

kennethyeung
New Member
‎10-31-2017 08:41 AM

i found out have to add "return product_name" at the subsearch , then work fine. Thanks

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-31-2017 05:44 AM

Hi kennethyeung,
Only to understand:
if in index2 you have code and product name: why do you use lookup?

Anyway, probably the problem is in the case.
Try to convert in upper o lower case both the searches.

Or you could rebuild your search:

index=price OR  index=product
| rename code AS product_code
| stats values(price) AS price values(product_name) AS product_name BY product_code

Bye.
Giuseppe

0 Karma
Reply

kennethyeung
New Member
‎10-31-2017 06:06 AM

thanks, becasue the product code is not same on different index, 1 index is 1234 another index product code is short form for the product, (E,g ABC)
that's why i use lookup to map it.

but do you know why my subsearch not work?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-31-2017 06:19 AM

Hi kennethyeung,
probably the problem is in the case.
Try to convert code and product_code in upper o lower case in both the searches.
Bye.
Giuseppe

0 Karma
Reply

peterchenadded
Path Finder
‎10-31-2017 05:34 AM

Your subsearch should just get the results from the lookup e.g.

|inputlookup code.csv where product_code=1 | table product_name

Alternatively, you can replace index=product with below to make sure you always have data

index=product earliest=0 latest=now

0 Karma
Reply

kennethyeung
New Member
‎10-31-2017 06:11 AM

i tried put "|inputlookup code.csv where product_code=1 | table product_name" as subsearch but not working as well

index=product [ inputlookup code.csv where product_code=1 | table product_name] no result found

0 Karma
Reply

peterchenadded
Path Finder
‎10-31-2017 01:46 PM

It needs to be | before the inputlookup.

Did you also try the earliest and latest setting I suggested in previous comment?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...