I have the following search which isn't returning results:
mysearchevents [ search sourceA | fields a b ]
For my subsearch, I'm taking an event and pulling out fields "a" and "b". Then I want any event (in mysearchevents) that contain field "a" OR field "b".
I want the raw event so no formatting is necessary.
My search returns nothing. 😞
You can use the format
command to change how results from the subsearch are formatted. By default, the format is as follows:
"(" "(" "AND" ")" "OR" ")"
...in which these 6 parameters correspond to the following identifiers:
"<row prefix>" "<column prefix>" "<column separator>" "<column end>" "<row separator>" "<row end>"
So by playing around with this you should be able to get a format that's working for you. Like changing the "AND" argument to an "OR".
mysearchevents [ search sourceA | fields a b | format "(" "(" "OR" ")" "OR" ")" ]
If you want to see exactly what the subsearch returns, just run the subsearch as its own search, still with format
added at the end. The format
command will make sure you see what string is returned.
You can use the format
command to change how results from the subsearch are formatted. By default, the format is as follows:
"(" "(" "AND" ")" "OR" ")"
...in which these 6 parameters correspond to the following identifiers:
"<row prefix>" "<column prefix>" "<column separator>" "<column end>" "<row separator>" "<row end>"
So by playing around with this you should be able to get a format that's working for you. Like changing the "AND" argument to an "OR".
mysearchevents [ search sourceA | fields a b | format "(" "(" "OR" ")" "OR" ")" ]
If you want to see exactly what the subsearch returns, just run the subsearch as its own search, still with format
added at the end. The format
command will make sure you see what string is returned.
THANK YOU. That worked exactly the way I needed!
That's great! I didn't see this in the docs!
I think that the splunk behavior is to AND the two fields together: (field1=a AND field2=b)
Not sure how to make it do an OR - unless you do two subsearches, one for each field. Ugh.
My subsearch returns 2 fields from a single event. I want to use those fields, kv pairs, to find all associated events that match (field1=a OR field2=b)
How many events does your subsearch return?
Do you want the results of the subsearch to be
(a=aval1 AND b=bval1) OR (a=aval2 AND b=bval2) OR...
or do you want the subsearch to return
(aval1 AND bval1) OR (aval2 AND bval2) OR...
or something else?