Splunk Search

Subsearch issue with specified fields

RobertRi
Communicator

Hi

I would like to get all sourcetypes for a specific app, which have normaly one index.
So I tried this search

index=_internal group=per_sourcetype_thruput series=[|metadata type=sourcetypes index=itm | table sourcetype | format]

but it seems that I cant use the series field directly.
Is this generaly possible or have I do escape the field for that?

Thanks
Rob

Tags (1)
0 Karma
1 Solution

Ayn
Legend

That will cause a syntax error because the string returned by the subsearch is formatted somewhat differently - you can see exactly how it's formatted by running the subsearch on its own, including the ending format command.

You could fix this by specifying arguments to format, but a better option would be to just rename your sourcetype field in the subsearch to series.

index=_internal group=per_sourcetype_thruput [|metadata type=sourcetypes index=itm | rename sourcetype as series | fields series]

View solution in original post

0 Karma

Ayn
Legend

That will cause a syntax error because the string returned by the subsearch is formatted somewhat differently - you can see exactly how it's formatted by running the subsearch on its own, including the ending format command.

You could fix this by specifying arguments to format, but a better option would be to just rename your sourcetype field in the subsearch to series.

index=_internal group=per_sourcetype_thruput [|metadata type=sourcetypes index=itm | rename sourcetype as series | fields series]
0 Karma

Ayn
Legend

That's great that you got it working, but there's really no need to rewrite the search like that - format is called implicitly at the end of a subsearch anyway, and table is possibly worse performance-wise than fields.

0 Karma

RobertRi
Communicator

thanks that work

and this with a small change too

index=_internal group=per_sourcetype_thruput [|metadata type=sourcetypes index=itm | table sourcetype | rename sourcetype AS series | format]

0 Karma

ddarmand
Communicator

you can use sideview utils to do that

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...