cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
chicocinco
Observer
Member since: ‎02-18-2020
‎03-04-2022
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎02-18-2020
Activity Feed
View All

Re: using subsearches on different index

by in Splunk Search
‎03-04-2022 03:39 AM
‎03-04-2022 03:39 AM
i tried your suggestions that is remove the second search and move one of the bracked to the last and it threw an error instead ... View more

How to use subsearches on a different index?

by in Splunk Search
‎03-04-2022 12:14 AM
‎03-04-2022 12:14 AM
I want to search all the email logs for a mail transaction.  However we have multiple indexes for our mail logs.  When i run the search below , it gets the qid  which is the expected behavior.    sourcetype=INDEX_B index=INDEX_B [search sourcetype=INDEX_A to=*<email address>* | fields msgid |rename msgid as hdr_mid] | table qid   where:    msgid/hdr_mid = unique email id in index_A. I have to rename msgid to hdr_mid as thats the name of the field in INDEX_A qid = another unique id in INDEX_B that corresponds to INDEX_A   What i want to accomplish is that the result of the qid will immediately search all match in INDEX_B but its not generating any search result. Below is the  modified version i made.   sourcetype=INDEX_B index=INDEX_B [search sourcetype=INDEX_B index=INDEX_B | search [search sourcetype=INDEX_A to=*<email address>* | fields msgid |rename msgid as hdr_mid | rename qid as search]] | table qid     ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎03-04-2022 09:30 AM