Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Keeping field of subsearch

javo
Explorer
‎02-19-2013 06:09 AM

How can I keep fields of a subsearch so I can add them to a table with the end result? I tried with no success

... [ ... | fields + foo, bar] | table fieldX, fieldY, foo, bar

The problem is that the subsearch runs on one log file, and the main search runs on a different log with other fields. Field foo is in both logs but field bar is not. So when I call foo it is shown from main log but I can't find the way to keep field bar from the subsearch log.

Tags (3)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-19-2013 06:23 AM

In general adding fields from a second source based on a shared field is a join: http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Join

Reply

javo
Explorer
‎02-20-2013 07:12 AM

sourcetype=asdf content=oops [search sourcetype=fdsa fish=-88 | fields location] | table location, content, problem, paper

being problem and paper the two fields in subsearch log I want to show in the table.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-19-2013 01:00 PM

Here's a generic example of a join:

| gentimes start=-1 increment=5m | eval foo = starttime % 10800 | fields + starttime foo | join type=left [gentimes start=-1 increment=1h | eval foo = starttime % 10800 | eval bar = 42 | fields + foo bar]
Reply

Ayn
Legend
‎02-19-2013 12:35 PM

You haven't provided us with a full search so it's hard to give you more advice on how you could rewrite your query.

0 Karma
Reply

javo
Explorer
‎02-19-2013 11:46 AM

I'm not sure if this is what I need. Any example please?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...