The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.
The Guiding Principles and New Rules document is now in effect.
Splunk searches
EclecticGroove
Registered User regular
Registered User regular
So, I never really needed to delve into spunk much for work. But right now I've got some data I need to cull that is going beyond the basics I generally need.
I know it is likely to be a sub search, but all the examples I've seen tend to not be working out for me for one reason or another.
What I need is to run a search for a value. But that value needs to come from data that is filtered out from another search that does not contain the value the first search is looking for.
So what I need is:
search for value a [filtered by results for value b that returns a common shared attribute of value c between the 2 data sets]
Right now my search is essentially this:
sourcetype="datasource1" valuea [search (sourcetype="datasource1" fieldname="value b used for filtering"] fields valuec return $valuec]
This returns results... but it's the same results I get when I just do the plain sourcetype and valuea search.
It just doesn't look like the subsearch is filtering anything out of the main search at all, so I'm pretty sure I'm doing it wrong. Any help would be appreciated.
I know it is likely to be a sub search, but all the examples I've seen tend to not be working out for me for one reason or another.
What I need is to run a search for a value. But that value needs to come from data that is filtered out from another search that does not contain the value the first search is looking for.
So what I need is:
search for value a [filtered by results for value b that returns a common shared attribute of value c between the 2 data sets]
Right now my search is essentially this:
sourcetype="datasource1" valuea [search (sourcetype="datasource1" fieldname="value b used for filtering"] fields valuec return $valuec]
This returns results... but it's the same results I get when I just do the plain sourcetype and valuea search.
It just doesn't look like the subsearch is filtering anything out of the main search at all, so I'm pretty sure I'm doing it wrong. Any help would be appreciated.
0