I'm stumbing over subsearches.
In our system, app server logs contain an SID (session ID). It's trivial to find all (valid/known) SIDs for a given account with:
SID!=SID_UNKNOWN sourcetype=unicorn account="customer@example.com" | top SID | table SID
I can also break down the status codes easily:
sourcetype=unicorn HTTP_CODE>=400 | top HTTP_CODE
But I can't figure out how to put the two together using a subsearch. If I try:
sourcetype=unicorn HTTP_CODE>=400 | top HTTP_CODE [ SID!=SID_UNKNOWN sourcetype=unicorn account="customer@example.com" | top SID | table SID ]
I get:
Unknown search command 'sid'.
What am I missing here?
You need to call a command first, such as "search". For the main query that is prepended by default. Something like this:
... [search SID=...
I'm not sure what you want to do though, since you're passing the result of the subsearch to the top command, which doesn't support this.
top limit=1000
or top limit=0
, but yes, dedup is better if you don't need the ranking and percentages, since it doesn't have to sort or accumulate the total.
"It's trivial to find all" - top does not return all the SIDS.
[ ... | fields SID | dedup SID ]
will
You need to call a command first, such as "search". For the main query that is prepended by default. Something like this:
... [search SID=...
I'm not sure what you want to do though, since you're passing the result of the subsearch to the top command, which doesn't support this.
You don't the |
at the start of the subsearch. It's implicit, which is why there's an error in the first place.
Take a look at the return command in the splunk docs as well.
Thanks, I figured out the same by looking thru other questions tagged with subsearch. Here's what I ended up with:
sourcetype=unicorn HTTP_CODE>=400 [ | search SID!=SID_UNKNOWN sourcetype=unicorn account=customer@example.com | top SID | table SID ] | top HTTP_CODE