Can a subsearch return only the value (without the fieldname)?

Question

(Copied from a legacy Splunk Forums post by user bpf)

Hello

I have the following problem:

I have a Name. With this Name I search the clID first.
Then I will search in several sources this clID-Value.

I have the following search:

index="myindex" [ index="myindex" host="myhost" <Name> | top limit=1 clID | fields + clID ]

The subsearch returns something like: ( (clID="0050834ja") )

Now, my problem is, that in the different sources the clID-Value appears in different fields. Is there a way that the subsearch return only the field-Value ("0050834ja") without the fieldname?

Thanks for your help. Bruno

Accepted Answer

Yes. Do this:

index=myindex [ index=myindex host=myhost MyName | top limit=1 clID | fields + clID | rename clID as search ]

If the field is named search (or query) the field name will be dropped and the subsearch (or technically, the implicit |format command at the end of the subsearch) will drop the field name and return ( ( 0050834ja ) ). Multiple results will return, e.g., ( ( value1 ) OR ( value2 ) OR ( value3 ) ).

This is a special case only when the field is named either "search" or "query". Renaming your fields to anything else will make the subsearch use the new field names.

Can a subsearch return only the value (without the fieldname)?

Follow this question

Splunk Resources

Related questions