Hello,
I have a main search, with an append command.
Some events contain just the user; others just the addr; and still others both the user and the addr. The issue is I only know user. However, to find events which contain just the addr I need to search the log for events where the user!="" and where addr!="". Then I can run a new search on log with $addr=addr. I will use dedup at the end.
|append
[ search index ="events"
AND source="log"
AND (user="$userId_tok$"
OR [ search index ="events"
AND source="/log"
AND user="$userId_tok$"
| head limit=1
| eval addr="\"".addr."\""
| return $addr ]
Can OR work with subsearches?
I hope that makes sense.
Thanks and God bless,
Genesius
The way that subsearches work by default is that the fields within a row are combined with AND
and then rows are combined with OR
. You can see what is done by running your subsearch and then adding | format
to the end and it will show you the SPL that it will generate. Additionally, the format
command allows you to change the AND
to OR
or the OR
to AND
if you like, by passing the appropriate arguments. Check it out:
https://docs.splunk.com/Documentation/Splunk/latest/Search/Changetheformatofsubsearchresults
The way that subsearches work by default is that the fields within a row are combined with AND
and then rows are combined with OR
. You can see what is done by running your subsearch and then adding | format
to the end and it will show you the SPL that it will generate. Additionally, the format
command allows you to change the AND
to OR
or the OR
to AND
if you like, by passing the appropriate arguments. Check it out:
https://docs.splunk.com/Documentation/Splunk/latest/Search/Changetheformatofsubsearchresults
@woodcock ,
I want to thank you for your reply. I will check into later this afternoon. I'm prepping for a meeting.
Thanks and God bless,
Genesius
@woodcock
As this is a new Splunk implementation, before I get a chance to complete one thing, another is tossed our way.
I am getting back to old forum posts to thanks people and close.
Using | format and the supplied link have been a great education.
Apologies for the delay.
Thanks and God bless,
Genesius
Be sure to come back and click Accept
to close the question and UpVote
and useful answers or comments.
@woodcock
Got it. Done.
I saw the Accept button over my response and thought I would be accepting mine and not yours. Thanks and God bless,
Genesius
It should work with OR (your just need to ensure that proper brackets are placed so that your logic is correct. Your second subsearch is just returning the value (because of dollar sign), so your search becomes this
search index ="events"
AND source="log"
AND (user="$userId_tok$"
OR ("address_value_returned_from_subsearch")
That is intentional right?
@somesoni2
Yes. Don't forget the trailing ).
AND (user="$userId_tok$"
OR ("address_value_returned_from_subsearch"))
Thanks and God bless,
Genesius
@somesoni2
Also, here is the error message.
Error in 'SearchParser': Subsearches are only valid as arguments to commands.
Thanks and God bless,
Genesius
What's your full search?
@somesoni2
As this is a new Splunk implementation, before I get a chance to complete one thing, another is tossed our way.
I am getting back to old forum posts to thanks people and close.
Apologies for the delay.
Thanks and God bless,
Genesius