I would like all the results from a field extraction in search "A" to be used as search criteria in search "B". I am using a subsearch for this, however for some reason only the top result for the field in search "A" is being used in search "B", where I want all the values to be used. Individually search A returns multiple results, and I can find these results in search B but not together:
index=<my_index> sourcetype=<my_sourcetype> other search foo [search index=<my_other_index> sourcetype=<another_sourcetype> extra search foo | rex field=_raw "some regex(?<my_field>)" | dedup my_field | fields my_field | rename my_field as search ]
For example my_field should return a bunch of values e.g. 1, 2, 3, 4, 5 but only "1" is being used in the parent search.
Any ideas why it isn't using all of the values with implicit "OR" between??
Hi 775149,
give format
a try https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/format
Hope this helps ...
cheers, MuS
Hi 775149,
give format
a try https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/format
Hope this helps ...
cheers, MuS
Perfect, thanks can't believe it was so simple after all that googling
index=<my_index> sourcetype=<my_sourcetype> other search foo [search index=<my_other_index> sourcetype=<another_sourcetype> extra search foo | rex field=_raw "some regex(?<my_field>)" | dedup my_field | fields my_field | rename my_field as search | format ]