Splunk Search

Subsearch in search command not returning results

msarro
Builder

Hey everyone, I am pretty sure this is a simple question, but I'd appreciate a sanity check.

When I run the following command I get a list of values (2910 results, suppose one value is the string "ReturnedValueX"):

index=mysearchindex host=myserver* My_Field="901089187"|table MY_OTHER_FIELD

When i try to run it as a subsearch to another search command however, I get 0 results.

index=myothersearchindex host="myserver*" [search index=mysearchindex host=myserver* My_Field="901089187"|table MY_OTHER_FIELD]

BUT, if I take one of the values from MY_OTHER_FIELD and use it as a string in the search command like this I get results:

index=myothersearchindex host="myserver*" "ReturnedValueX"

The only possible issues I can think of are:
1) The number of results from the subsearch is too high
2) There are no defined fields in index=myothersearchindex, just raw log data. The goal is to take the list of string values from the subsearch and use it to limit the results of the outer search.

Tags (1)
0 Karma
1 Solution

bmacias84
Champion

Hello msarro,

I think I see what you are trying to do which is to pass the values up from a subsearch to main search. For this you will need the to use the return command. By default return only returns one value, but you can increase that. There are performance implications to increases the return value.

Here is my example not knowing your data.


index=myothersearchindex host="myserver*" [search index=mysearchindex host=myserver* My_Field="901089187"|return 10 MY_OTHER_FIELD]

What your search is accually looks like.


index=myothersearchindex host="myserver*" MY_OTHER_FIELD="Value1" OR MY_OTHER_FIELD="Value2" OR MY_OTHER_FIELD="Value3" OR MY_OTHER_FIELD="Value4" OR MY_OTHER_FIELD="Value5" OR MY_OTHER_FIELD="Value6"

If you just want the values use ... | return 10 $MY_OTHER_FIELD

Additional Reading:

Return

Hope this helps or gets you started. If it does don't forget to vote up and/or accept the answer.

Cheers

View solution in original post

bmacias84
Champion

Hello msarro,

I think I see what you are trying to do which is to pass the values up from a subsearch to main search. For this you will need the to use the return command. By default return only returns one value, but you can increase that. There are performance implications to increases the return value.

Here is my example not knowing your data.


index=myothersearchindex host="myserver*" [search index=mysearchindex host=myserver* My_Field="901089187"|return 10 MY_OTHER_FIELD]

What your search is accually looks like.


index=myothersearchindex host="myserver*" MY_OTHER_FIELD="Value1" OR MY_OTHER_FIELD="Value2" OR MY_OTHER_FIELD="Value3" OR MY_OTHER_FIELD="Value4" OR MY_OTHER_FIELD="Value5" OR MY_OTHER_FIELD="Value6"

If you just want the values use ... | return 10 $MY_OTHER_FIELD

Additional Reading:

Return

Hope this helps or gets you started. If it does don't forget to vote up and/or accept the answer.

Cheers

msarro
Builder

This is exactly what I was looking for, thank you!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...