- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- 2 fields (kv pairs) in subsearch, find any events ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the following search which isn't returning results:
mysearchevents [ search sourceA | fields a b ]
For my subsearch, I'm taking an event and pulling out fields "a" and "b". Then I want any event (in mysearchevents) that contain field "a" OR field "b".
I want the raw event so no formatting is necessary.
My search returns nothing. 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use the format command to change how results from the subsearch are formatted. By default, the format is as follows:
"(" "(" "AND" ")" "OR" ")"
...in which these 6 parameters correspond to the following identifiers:
"<row prefix>" "<column prefix>" "<column separator>" "<column end>" "<row separator>" "<row end>"
So by playing around with this you should be able to get a format that's working for you. Like changing the "AND" argument to an "OR".
mysearchevents [ search sourceA | fields a b | format "(" "(" "OR" ")" "OR" ")" ]
If you want to see exactly what the subsearch returns, just run the subsearch as its own search, still with format added at the end. The format command will make sure you see what string is returned.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use the format command to change how results from the subsearch are formatted. By default, the format is as follows:
"(" "(" "AND" ")" "OR" ")"
...in which these 6 parameters correspond to the following identifiers:
"<row prefix>" "<column prefix>" "<column separator>" "<column end>" "<row separator>" "<row end>"
So by playing around with this you should be able to get a format that's working for you. Like changing the "AND" argument to an "OR".
mysearchevents [ search sourceA | fields a b | format "(" "(" "OR" ")" "OR" ")" ]
If you want to see exactly what the subsearch returns, just run the subsearch as its own search, still with format added at the end. The format command will make sure you see what string is returned.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
THANK YOU. That worked exactly the way I needed!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's great! I didn't see this in the docs!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think that the splunk behavior is to AND the two fields together: (field1=a AND field2=b)
Not sure how to make it do an OR - unless you do two subsearches, one for each field. Ugh.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My subsearch returns 2 fields from a single event. I want to use those fields, kv pairs, to find all associated events that match (field1=a OR field2=b)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How many events does your subsearch return?
Do you want the results of the subsearch to be
(a=aval1 AND b=bval1) OR (a=aval2 AND b=bval2) OR...
or do you want the subsearch to return
(aval1 AND bval1) OR (aval2 AND bval2) OR...
or something else?
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
