Check if value is in sub search table result

matansocher · ‎12-12-2017

Hi,
I need a way to check if a value is in a sub search table result.
for example I use the code that doesent work:

index=indexA groupID=*groupA* regression_target=*TargetA* job_type=run_job 
| search 
    [ search index=indexA  groupID=*groupA* regression_target=*TargetA* status=PASS job_type=batch 
    | dedup thumb_print 
    | fields thumb_print] 
| table thumb_print

I am trying to filter the 'thumb_print' field by the subsearch result. in the subsearch there are more results then the whole search.
by the data, it does not make any sense. am I doing something wrong?

thanks

deepashri_123 · ‎12-12-2017

Hi matansocher,

You can try the query below:

index=indexA groupID=groupA regression_target=TargetA job_type=run_job OR (status=PASS AND job_type=batch)
| dedup thumb_print
| table thumb_print

matansocher · ‎12-13-2017

Sorry, I didnt know that a subsearch has a timeout of 60 seconds or a limit of 50000 results.
Thanks anyway

mayurr98 · ‎12-12-2017

hey @matansocher

 index=indexA groupID=*groupA* regression_target=*TargetA* job_type=run_job 
 | search 
     [ search index=indexA  groupID=*groupA* regression_target=*TargetA* status=PASS job_type=batch 
     | dedup thumb_print 
     | return 100000 thumb_print] 
 | table thumb_print

Use return command
http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Return

100000 is the number of rows it can return.For a safer side put a high number. Also refer documentation for the same

Let me know if it helps!

Check if value is in sub search table result

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life