- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can't use "Where IN ([subsearch])"
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I'd like to match the result of my main search with a list of values extracted from a CSV.
So at the end of my main search, I appended
| where src IN ([MySubSearch])
It did not work.
But, what is weird, is that the command below did work correctly.
| where src IN (copy/paste of the result of MySubSearch)
If it is helpful, my subsearch is
| inputlookup assets.csv | where category="Groupe_Postes" | eval dns="\"".dns."\"" | stats values(dns) as dns delim="," | nomv dns
And the results is a list of 200 hostnames in the following format :
"PFCC1845","PTADM2364", ....
Thank you in advance for your help
Cheers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Change your subsearch to this
| inputlookup assets.csv | where category="Groupe_Postes" | eval dns="\"".dns."\"" | stats values(dns) as search delim="," | nomv search | format "" "" "" "" "" ""
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
I have similar situation where I have 2 sources of data and in data I get filenames processed but filenaming convention is different in both data sources.
So for that matter I get a pattern using eval and some string manipulations to match in both sources.
So I am trying hard to find filenames that are in source1 but not in source2.
So here I am trying to do:
index="clouddata" Application=CS Message.PublisherId="PROD_*ONGOING*"|
rename Message.FileName as cs_filename | dedup cs_filename |
eval ercode = mvindex(split(cs_filename,"_"),1) |
eval servicedatetime = mvindex(split(cs_filename,"_"),2) |
strcat ercode servicedatetime fileSearchStr |
eval fileSearch = substr(fileSearchStr,0,18) | table fileSearch | where NOT fileSearch IN [search index="serverdata" Application=SP |
rename Message.FileName as sp_filename | dedup sp_filename |
eval ercode = mvindex(split(sp_filename,"_"),0) |
eval datetime = mvindex(split(sp_filename,"_"),1) |
strcat ercode datetime fileSearchStr1 |
eval fileSearch="\"".fileSearch."\"" | stats values(fileSearch) as search delim="," | nomv search]
That field fileSearch would look like "10010JYR2011240547"
And when I run subsearch as a separate main query it gives me something like "10005ABC2020112405","10010JYR2011240547","100839TIN202011240","83101ICC2020112406"
Getting an error:
Error in 'where' command: The expression is malformed. Expected (.
Can I get some help on this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Change your subsearch to this
| inputlookup assets.csv | where category="Groupe_Postes" | eval dns="\"".dns."\"" | stats values(dns) as search delim="," | nomv search | format "" "" "" "" "" ""
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the answer.
When I try it thought, the result of the subsearch becomes :
"\"PFADM0185\",\"PFADM0276\",\"PFADM0290\", ....,\"PTCC0029\",\"ptadm0372\""
I got no error, but the "where" condition does not match.
What I understand though, is that addind "format" at the end of my query displays the way it is really formatting when used in a subsearch, right ?
So I'll try playing with it to have this result at the end (because I know the where condition match this way)
"PFCC1845","PTADM2364", ....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this alternative a try as well
Subsearch:
| inputlookup assets.csv | where category="Groupe_Postes" | stats count by dns | table dns | rename dns as src
Your search:
...| where [result from subsearch]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This time it works ! Thank you very much !
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
