(src_ip="10.10.10.1") OR (src_ip="10.10.10.2") OR (src_ip="10.10.10. The results of a left (or outer) join includes all of the events in the main search and only those values in the subsearch have matching field values. The formatted search string that is returned contains (this does not work): | dedup accountname | stats values(accountname) AS accounts | table query, src_ip, accounts ![]() Seem primary search doesn't work with the returned linear search string? i am trying to use below to search all the UUIDs returned from subsearch on path1 to Path2, but the below search string is not working properly. But it doesn't work if I pipe it to format. How to pass a field from subsearch to main search and perform search on another source. Can a subsearch return only the value (without the fieldname) Get Updates on the Splunk Community Tech Talks Your Top 5 Summer Playlist. I have managed to get the query to work if I return a single field. The search below produces multiple values for cip indexproxy fields cip sop dip rhost dport csbytes csuri referer cagent lookup. This is used when you want to pass the returned values in the returned fields into the primary search." ![]() "The format command changes your subsearch results into a single linear search string. The link you provided had details about format command which I was hoping to use to modify returned search result so that it will work with multiple returned fields.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |