Hi,
I need a way to check if a value is in a sub search table result.
for example I use the code that doesent work:
index=testeda_p groupID=sloc_data
| search project=Periph core=ipa core_ver=* sloc_type="rtl"
| search _time contains
[ search index=testeda_p groupID=sloc_data (project=Periph) (core=ipa) core_ver=* sloc_type="rtl"
| sort -_time
| dedup core_ver
| table _time
]
| table project core core_ver file sloc_date sloc_type sloc upload_id _time
Thanks
Hi matansocher,
did you already tested to run the subsearch?
index=testeda_p groupID=sloc_data (project=Periph) (core=ipa) core_ver=* sloc_type="rtl"
| sort -_time
| dedup core_ver
| table _time
Bye.
Giuseppe
Hi matansocher,
did you already tested to run the subsearch?
index=testeda_p groupID=sloc_data (project=Periph) (core=ipa) core_ver=* sloc_type="rtl"
| sort -_time
| dedup core_ver
| table _time
Bye.
Giuseppe
sure, it returns a table of time (_time field)
I will rewrite my question. I need the main search to check if the _time value it (main search) has, is in the table from the sub search. if the subsearch table contains the _time value of the main search
Hi matansocher,
No you can check if the value of the subsearch is in the main search not the opposite.
Anyway I see that search and subsearch are the same, what's your need?
in addition, you don't need to divide main search, you could use
index=testeda_p groupID=sloc_data project=Periph core=ipa core_ver=* sloc_type="rtl" [ search
index=testeda_p groupID=sloc_data project=Periph (core=ipa) core_ver=* sloc_type="rtl"
| sort -_time
| dedup core_ver
| table _time
]
| table project core core_ver file sloc_date sloc_type sloc upload_id _time
Remember that using dedup you have the limit of 10,000 values, to avoid this limit use dedup 0
.
Bye.
Giuseppe
I do realize that my subsearch is pretty much the same as the main search, but i just want to understand the concept of main search field contains the value in a subsearch table result
Hi matansocher,
You have a main search with all the filters you like.
One additional filter is the results of the subsearch.
Remember that the filter is related to the fields in output of the subsearch, in other words, if I have [search index=... | fields name ]
, I'm adding an additional filter name=all_subsearch_values
; obvioulsy name field must be present in both the searches.
If I have in output two fields I have a filter with two fields and so on.
This means that I must always choose fields in subsearch output.
If I want to add a full test search on main search I have to modify my subsearch in [search index=... | rename name AS query| fields query ]
(query is a fixed fieldname).
I hope to be exaustive.
Bye.
Giuseppe
Thank you. that was a great explanation.
I am probably doing something wrong.
I have that query :
index=testeda_p groupID=sloc_data project=Periph core=ipa core_ver=4.2.0 sloc_type="rtl"
[ search index=testeda_p groupID=sloc_data (project=Periph) (core=ipa) core_ver=4.2.0 sloc_type="rtl"
| sort -_time
| dedup core_ver
| table _time
| fields _time
]
| table project core core_ver file sloc_date sloc_type sloc upload_id _time
my subsearch creates a table with the field _time?
and do I put the subsearch on the right place?
thanks
maybe _time is in a different format between main and sub search
try using
index=testeda_p groupID=sloc_data project=Periph core=ipa core_ver=4.2.0 sloc_type="rtl"
| eval _time=strptime(_time,"%Y-%m-%d %H:%M:%S%3N")
[ search index=testeda_p groupID=sloc_data project=Periph core=ipa core_ver=4.2.0 sloc_type="rtl"
| sort -_time
| dedup core_ver
| eval _time=strptime(_time,"%Y-%m-%d %H:%M:%S%3N")
| fields _time
]
| table project core core_ver file sloc_date sloc_type sloc upload_id _time
Bye.
Giuseppe
the problem was that by some reason splunk didnt like the manipulation on the _time field. I just added:
| eval time = _time
and then it worked.
I have tried that and I get no results. I know it is not correct because I check the data manually. probably something I dont notice. Do you have any other idea of why it does not work?
Thanks a lot for the effort