It is two separate searches that has to crank through the data and timeframe twice. To see this run the sub-search separately in its own search window.įair warning, if you are churning through something like firewall logs, this will not be very fast. The format command will create a formatted sub-search (the default is (field=value OR field=value) however you can use this command to create sub-searches like ((field=value OR field=value) AND (field=value)) etc. Also attempted adding via line 3 and output as a different name, yielded same results. 3) Subsearches must be enclosed in square brackets and must start with a Generating command (eg: search, makeresults etc.). 2) The result of the subsearch is used as an argument to the primary or outer search. Rename the sub-search field to match the original data field Unfortunately, adding vusername as an additional field in line 4 causes the query to return zero results. Definition: 1) A subsearch is a search that is used to reduce the set of events from your result set. Use stats to pull a list of unique dest_ips does not translate into a sql GROUP BY, but a SELECT of multiple SUM s from a subquery. Initiate the sub-search: As previously stated Splunk will process this first. The return command is used to pass values up from a subsearch. Do this: indexmyindex indexmyindex hostmyhost MyName top limit1 clID fields + clID rename clID as search If the field is named search (or query) the field name will be dropped and the subsearch (or technically, the implicit format command at the end of the subsearch) will drop th. Splunk Search Solved Jump to solution Subsearch to only return multiple field values SailorManDan Explorer 08-13-2021 07:36 PM Hello, I am trying to only return the values of certain fields to be used in a subsearch.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |