Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using a subquery result in 'IN' clause

revathiram
Engager
‎12-24-2020 02:52 AM

Hi,

I have a query like below which would return a list of host names.

index=osmetrics flock=xxx source=ps PID=1
| lookup xxx.csv host
| stats latest(ELAPSED) as last_reboot by host 
| eval reboot_days=if(like(last_reboot, "%-%"), mvindex(split(last_reboot, "-"),0), 0)
| search reboot_days=0
| fields host | rename host as search

---------------------

Result:

search

----------

host 1

host 2

host 3

 

I want to use the above query results as a sub-query like below:

host IN [ index=osmetrics flock=xxx source=ps PID=1
| lookup xxx.csv host
| stats latest(ELAPSED) as last_reboot by host 
| eval reboot_days=if(like(last_reboot, "%-%"), mvindex(split(last_reboot, "-"),0), 0)
| search reboot_days=0
| fields host | rename host as search ]  
| timechart count by abcd

which is

host IN ( "host 1","host 2","host 3" ) 
| timechart count by abcd

Please help me with the query to format the output of query 1 like ( "host 1","host 2","host 3" ) and use it as sub-query in query 2.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎12-24-2020 03:50 AM

sample:

| makeresults count=10 
| eval host="host".random() % 10 
| search host IN ( 
    [| makeresults count=10 
    | eval host="host".random() % 10 
    | table host 
    | stats values(eval("\"".host."\"")) as search delim="," 
    | nomv search])

View solution in original post

Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎12-24-2020 03:50 AM

sample:

| makeresults count=10 
| eval host="host".random() % 10 
| search host IN ( 
    [| makeresults count=10 
    | eval host="host".random() % 10 
    | table host 
    | stats values(eval("\"".host."\"")) as search delim="," 
    | nomv search])
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...