- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Subsearches (and custom fields?)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Subsearches (and custom fields?)
I could be doing something wrong, but I can't seem to get subsearches to behave like I expect. I can get something like the documentation (HowSubsearchesWork) example to work, but anything more complicated seems to fail.
This query:
index="main" *CONNECTION | top host limit=1 | fields host
shows the host with the most CONNECTION log entries.
As expected, this query:
* [search index="main" *CONNECTION | top host limit=1 | fields host]
shows all log messages from the host that has the most connection logs. When I try using a different fields, however, the behavior changes.
For example, this query shows the most frequent UUIDs (a custom field):
index="main" *CONNECTION | top UUID limit=1 | fields UUID
The following all return "No matching events found.":
* [search index="main" *CONNECTION | top UUID limit=1 | fields UUID]
* [search index="main" *CONNECTION | top UUID limit=1 | fields UUID | rename UUID as query]
* [search index="main" *CONNECTION | top UUID limit=1 | fields UUID | rename UUID as search]
Pasting the output from either of
index="main" *CONNECTION | top UUID limit=1 | fields UUID | format
index="main" *CONNECTION | top UUID limit=1 | fields UUID | rename UUID as search | format
into a new splunk search produces the expected results.
Could this be a syntax or configuration issue, or do I not understand how subsearches work? We're on 4.1.3; could this be related to SPL-32669 ?
thanks in advance,
rick
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What happens when you put a "format" in the subsearch? Like does this work:
index=main [search index="main" *CONNECTION | top UUID limit=1 | fields UUID | format ]
I've found times where my subsearch will not work without tacking on a | format on the end, I'm not sure why, and it doesn't seem like you should have to. Perhaps someone more familiar with subsearches help explain when you need format and when you do not.
Another thing to look into is using the "Job Inspector" and looking at the "remoteSearch" value. You should see "litsearch" followed by the expanded form of your search. You may find something interesting going on here that could explain why your subsearch isn't working properly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search Job Inspector shows the following, though I'm not sure how to interpret it:
remoteSearch | fields keepcolorder=t * "*" "host" "index" "source" "sourcetype" "splunk_server"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=main [search index="main" *CONNECTION | top UUID limit=1 | fields UUID | format ]
also yields "No matching events found."
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
