![]() ![]() In Splunk, the primary query should return one result which can be input to the outer or the secondary query. ) Splunk will first execute the subsearch. It is similar to the concept of subquery in case of SQL language. This will return a single event with a field named search and a value like ( ( qmaildelivery'8227046' AND qmailmsg'33565415' ) OR ( qmaildelivery'7947353' AND qmailmsg'33719121' ) OR. 3) Subsearches must be enclosed in square brackets and must start with a Generating command (eg: search, makeresults etc.). This function takes matching REGEX and returns. 2) The result of the subsearch is used as an argument to the primary or outer search. When working with data in the Splunk platform, each event field typically has a single value. I searched a lot but did not get the solution for my requirement however got the solution for single value subsearch output as input for main search. Subsearch is a special case of the regular search when the result of a secondary or inner query is the input to the primary or outer query. Definition: 1) A subsearch is a search that is used to reduce the set of events from your result set. Now whatever the value we are getting in column UniqueReqId, we need to use each value one by one to the main query in UniqueReqId= EachValue. This sub search " search index=myIndex MyLogger | dedup UniqueReqId | stats count(UniqueReqId) as "Total user" by UniqueReqId" will return multiple value like below : I am looking for a query which will accept multiple value subsearch output as a input of main serach, See below :
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |