Splunk Search

Subsearch in search command not returning results

msarro
Builder

Hey everyone, I am pretty sure this is a simple question, but I'd appreciate a sanity check.

When I run the following command I get a list of values (2910 results, suppose one value is the string "ReturnedValueX"):

index=mysearchindex host=myserver* My_Field="901089187"|table MY_OTHER_FIELD

When i try to run it as a subsearch to another search command however, I get 0 results.

index=myothersearchindex host="myserver*" [search index=mysearchindex host=myserver* My_Field="901089187"|table MY_OTHER_FIELD]

BUT, if I take one of the values from MY_OTHER_FIELD and use it as a string in the search command like this I get results:

index=myothersearchindex host="myserver*" "ReturnedValueX"

The only possible issues I can think of are:
1) The number of results from the subsearch is too high
2) There are no defined fields in index=myothersearchindex, just raw log data. The goal is to take the list of string values from the subsearch and use it to limit the results of the outer search.

Tags (1)
0 Karma
1 Solution

bmacias84
Champion

Hello msarro,

I think I see what you are trying to do which is to pass the values up from a subsearch to main search. For this you will need the to use the return command. By default return only returns one value, but you can increase that. There are performance implications to increases the return value.

Here is my example not knowing your data.


index=myothersearchindex host="myserver*" [search index=mysearchindex host=myserver* My_Field="901089187"|return 10 MY_OTHER_FIELD]

What your search is accually looks like.


index=myothersearchindex host="myserver*" MY_OTHER_FIELD="Value1" OR MY_OTHER_FIELD="Value2" OR MY_OTHER_FIELD="Value3" OR MY_OTHER_FIELD="Value4" OR MY_OTHER_FIELD="Value5" OR MY_OTHER_FIELD="Value6"

If you just want the values use ... | return 10 $MY_OTHER_FIELD

Additional Reading:

Return

Hope this helps or gets you started. If it does don't forget to vote up and/or accept the answer.

Cheers

View solution in original post

bmacias84
Champion

Hello msarro,

I think I see what you are trying to do which is to pass the values up from a subsearch to main search. For this you will need the to use the return command. By default return only returns one value, but you can increase that. There are performance implications to increases the return value.

Here is my example not knowing your data.


index=myothersearchindex host="myserver*" [search index=mysearchindex host=myserver* My_Field="901089187"|return 10 MY_OTHER_FIELD]

What your search is accually looks like.


index=myothersearchindex host="myserver*" MY_OTHER_FIELD="Value1" OR MY_OTHER_FIELD="Value2" OR MY_OTHER_FIELD="Value3" OR MY_OTHER_FIELD="Value4" OR MY_OTHER_FIELD="Value5" OR MY_OTHER_FIELD="Value6"

If you just want the values use ... | return 10 $MY_OTHER_FIELD

Additional Reading:

Return

Hope this helps or gets you started. If it does don't forget to vote up and/or accept the answer.

Cheers

msarro
Builder

This is exactly what I was looking for, thank you!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...