Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is my subsearch not working?

utk123
Path Finder
‎01-08-2019 01:20 AM

I am trying the below subsearch, but it's not giving any results. "No results found. Try expanding the time range. "

I want to get the IP address from search2, and then use it in search1.

Search1 (outer search): giving results

index=index1 sourcetype=sourcetype1 IP_address

Search2 (inner search): giving results

index=index2 sourcetype=sourcetype2 category=category2 | top limit=1 src| table src

subsearch: not giving results

index=index1 sourcetype=sourcetype1 [search 
index=index2 sourcetype=sourcetype2 category=category2 | top limit=1 src| table src]

Am I missing anything here ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎01-08-2019 06:34 AM

@utk123 try the following search. rename src as IP_address is required as index1 has field IP_address:

index=index1 sourcetype=sourcetype1 
    [ search 
        index=index2 sourcetype=sourcetype2 category=category2 
    | top limit=1 src showcount=f showperc=f 
    | rename src as IP_address]
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎01-08-2019 06:34 AM

@utk123 try the following search. rename src as IP_address is required as index1 has field IP_address:

index=index1 sourcetype=sourcetype1 
    [ search 
        index=index2 sourcetype=sourcetype2 category=category2 
    | top limit=1 src showcount=f showperc=f 
    | rename src as IP_address]
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

utk123
Path Finder
‎01-08-2019 05:45 PM

Thanks, that was the trick. I had to use same field name for IP address in both queries.
My final query which is working now:

index=index1 sourcetype=sourcetype1 [search
index=index2 sourcetype=sourcetype2 category=category2 | table src | rename src as IP_address]

0 Karma
Reply
Solved! Jump to solution

askkawalkar
Path Finder
‎01-08-2019 05:00 AM

@utk123 , To get result of above subsearch, src field result need to be present in Search 1. If this criteria is fulfilled, then query will work. n events will be return by search.

Please refer below queries -
Below query will return the result- 

index=_internal group=pipeline
    [search index=_internal component=Metrics | top limit=1 name | table name]

Below Query might not return a result 

index=_internal group=executor
    [search index=_internal component=Metrics | top limit=1 name | table name]

PS: Above queries are heavy query.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...