![]() However, the queries on the right side of the eval statements work as expected. | eval totalCount = domain1Count + domain2Count Search "Middleware 2" "| stats distinct_count(UserId) as domain2Users Search "Middleware" "| stats distinct_count(UserId) as domain1Users At this time, I have the following Simple XML: I need to get a) the number of users for each domain and b) the total users for use in the dashboard. But you shouldn't need that for this.I have a Splunk dashboard that shows traffic across two sites. Subsearches get tricky, there's all sorts of formatting and reformatting you can do to the output to make it behave slightly differently. That should be the actual search - after subsearches were calculated - that Splunk ran.Ī good resource is to search Splunk Docs for subsearches - the first few hits on this search are all really good. "search this page with your browser") and search for "Expanded filtering search" In the "Search job inspector" near the top click "search.log" There's a trick to finding the ACTUAL search. One great tip is that you can inspect the job and find out what the search looks like. So now, this |inputlookup test_results | search If you run that on its own, it should return a field "build" with a value of "BuildValue". So let's rephrase the subsearch just a hair to make sure we have the results in the right format: |inputlookup test|stats first(build) AS build | fields build All fields of the subsearch are combined into the current results, with the exception of internal fields. The easiest way to do this would be to trim down your stats results to JUST the one field you want, right? Then ,by default, the way the subsearch would return it would be as key-value pairs. Splunk Enterprise Search Reference appendcols Search Reference Download topic as PDF appendcols Description Appends the fields of the subsearch results with the input search results. 2- Next, use the results of this query as input to filter the subsequent query using a subsearch: indexmyindex sourcetypemysourcetype search indexmyindex. What you WANT is for the subsearch to return a correctly formatted piece of a search for you to use. 1- First, run a query to extract a list of fields that you want to use for filtering your subsequent Splunk query: indexmyindex sourcetypemysourcetype table myfield. That should work (assuming the lookup has the field build). Though I'm not sure why you are using where - the where in Splunk is a trickier and easier-to-get-wrong version of search so let's try that instead - |inputlookup test_results | search build=BuildValue. Subsearch is a search query that is nested within another search query, and the results of the subsearch are used to filter the main search, so: 1- First, run a query to extract a list of fields that you want to use for filtering your subsequent Splunk query: indexmyindex sourcetypemysourcetype table myfield. If you then search |inputlookup test_results |where build=BuildValue it would work. The example below is similar to the multisearch example provided above and the results are the same. This value is the maxresultrows setting in the searchresults stanza in the nf file. ![]() ![]() This: |inputlookup test|stats first(build) returns some value for build (I'm lazy and I'll pretend it returns the value 'BuildValue'). As an added benefit of the max out argument, which specifies the maximum number of results to return from the subsearch. My guess is that if you did the two simple things - as you hint at that you do - these both work. Subsearches are enclosed in square brackets within a main search and are evaluated first. The result of the subsearch is then used as an argument to the primary, or outer, search. So let's look at your example, tearing it down into a couple of pieces: |inputlookup test_results |where build = A subsearch is a search that is used to narrow down the set of events that you search on. Splunk Search Change textbook to search on multiple values POR160893 Builder a week ago Hi, I have the following search that searches an index based on 2 textbook inputs: inputlookup ABC search srcsrctok OR destdesttok I need to change this such that multiple src's or multiple dest's are inputted at a given time by a user. Beinga subsearch, they run first and their results get inserted into the main search exactly where they are. The way a subsearch works is it returns results just like a regular search. ![]()
0 Comments
Leave a Reply. |