Splunk Search

Check if value is in sub search table result

matansocher
Contributor

Hi,
I need a way to check if a value is in a sub search table result.
for example I use the code that doesent work:

index=indexA groupID=*groupA* regression_target=*TargetA* job_type=run_job 
| search 
    [ search index=indexA  groupID=*groupA* regression_target=*TargetA* status=PASS job_type=batch 
    | dedup thumb_print 
    | fields thumb_print] 
| table thumb_print

I am trying to filter the 'thumb_print' field by the subsearch result. in the subsearch there are more results then the whole search.
by the data, it does not make any sense. am I doing something wrong?

thanks

0 Karma

deepashri_123
Motivator

Hi matansocher,

You can try the query below:

index=indexA groupID=groupA regression_target=TargetA job_type=run_job OR (status=PASS AND job_type=batch)
| dedup thumb_print
| table thumb_print

0 Karma

matansocher
Contributor

Sorry, I didnt know that a subsearch has a timeout of 60 seconds or a limit of 50000 results.
Thanks anyway

0 Karma

mayurr98
Super Champion

hey @matansocher

 index=indexA groupID=*groupA* regression_target=*TargetA* job_type=run_job 
 | search 
     [ search index=indexA  groupID=*groupA* regression_target=*TargetA* status=PASS job_type=batch 
     | dedup thumb_print 
     | return 100000 thumb_print] 
 | table thumb_print

Use return command
http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Return

100000 is the number of rows it can return.For a safer side put a high number. Also refer documentation for the same

Let me know if it helps!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...