Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Returning a computed expression in a subsearch

fk319
Builder
‎03-04-2013 12:31 PM

I am using a subsearch to build part of a query. The query is complex so I need to build the search that I want and then return it. (We have not yet upgraded to a version that has the return command.) I can return the entire expression, but Splunk thinks it is a string and does a search againt the string and not the value of the string. I can also return the temp variable equal to the expression, but that is not what I want either. Here is an idea of what I am doing:

[ search ID="*" error
  | eval search="( ID=".ID." error ) OR ( accessID=".ID." type=access "
  | stats values(search) as searches
  | eval NewSearch=mvjoin(searches," OR ")
  | ???? NewSearch
] | ....

I am using this example as a guide.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-04-2013 01:45 PM

It's simpler than you think:

[ ID=* error | eval search="( ID=".ID." error ) OR ( accessID=".ID." type=access )" | fields search ]

and that's it. You don't need the stats or mvjoin, as the subsearch takes care of that. The trick is that the field has to be named either search or query for Splunk to just return the string.

There is some weird behavior with quoting of terms though with subsearch, so the return command is a lot more reliable. You can actually just copy and register the return.py command from a newer version of Splunk into yours and it should work fine. In that case:

[ ID=* error | eval search="( ID=".ID." error ) OR ( accessID=".ID." type=access )" | return 10000 $search ]

will be more reliable.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-04-2013 01:45 PM

It's simpler than you think:

[ ID=* error | eval search="( ID=".ID." error ) OR ( accessID=".ID." type=access )" | fields search ]

and that's it. You don't need the stats or mvjoin, as the subsearch takes care of that. The trick is that the field has to be named either search or query for Splunk to just return the string.

There is some weird behavior with quoting of terms though with subsearch, so the return command is a lot more reliable. You can actually just copy and register the return.py command from a newer version of Splunk into yours and it should work fine. In that case:

[ ID=* error | eval search="( ID=".ID." error ) OR ( accessID=".ID." type=access )" | return 10000 $search ]

will be more reliable.

Reply
Solved! Jump to solution

fk319
Builder
‎03-05-2013 06:34 AM

When I use search, I just get the first instance. When I use different variable, I get them all. This is what I did to get it to work:

[ search ID="*" error
| eval sch="( ID=".ID." error ) OR ( accessID=".ID." type=access "
| stats values(sch) as searches
| eval search=mvjoin(searches," OR ")
| fields search
] | ....

Thanks for your help...

0 Karma
Reply
Solved! Jump to solution

jonuwz
Influencer
‎03-04-2013 04:06 PM

whereas the complete set of sourcetypes is :

Subsearch evaluated to the following search expression: "( sourcetype=multiline errror ) OR ( sourcetype=multiline type=access ) OR ( sourcetype=multline errror ) OR ( sourcetype=multline type=access ) OR ( sourcetype=syslog errror ) OR ( sourcetype=syslog type=access ) OR ( sourcetype=tcp-raw errror ) OR ( sourcetype=tcp-raw type=access )"

0 Karma
Reply
Solved! Jump to solution

jonuwz
Influencer
‎03-04-2013 04:05 PM

On 5.X the subsearch evaluates to just the 1st row returned.

i.e.

* [ search sourcetype=* | eval search="( sourcetype=".sourcetype." error ) OR ( sourcetype=".sourcetype." type=access )" | fields search ]

Evaluates to :

Subsearch evaluated to the following search expression: ( sourcetype=multline error ) OR ( sourcetype=multline type=access )

There's more than 1 sourcetype :

sourcetype=* | stats dc(sourcetype) = 4

0 Karma
Reply
Solved! Jump to solution

jonuwz
Influencer
‎03-04-2013 01:22 PM

Try 

[ search ID="*" error 
  | dedup ID
  | eval search="( ID=".ID." errror ) OR ( accessID=".ID." type=access )" 
  | stats values(search) as searches 
  | eval search=mvjoin(searches," OR ") 
  | fields search
  | format "" "" "" "" "" ""
]

For every ID we find we create a field called search that looks like :

( ID=xxxxx error ) OR ( accessID=xxxxx type=access )

Then we join them all together with an " OR "

Then we return the "search" field with special formating so the result is returned as is.

Note:

the field "search" is special when used in conjunction with format.

compare :

* earliest=-60m | dedup sourcetype | stats values(sourcetype) as sourcetypes| eval wibble=mvjoin(sourcetypes," OR ") | fields wibble | format "" "" "" "" "" ""

with 

* earliest=-60m | dedup sourcetype | stats values(sourcetype) as sourcetypes| eval search=mvjoin(sourcetypes," OR ") | fields search | format "" "" "" "" "" ""
0 Karma
Reply
Solved! Jump to solution

fk319
Builder
‎03-05-2013 05:51 AM

the first is returning:
wibble="(ID=xxxxx error)OR(accessID=xxxxx type=access)"
and the second is returning:
"(ID=xxxxx error)OR(accessID=xxxxx type=access)"
what I want is:
(ID=xxxxx error)OR(accessID=xxxxx type=access)

I want to evaluate the expression and not compare against it.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...