Change the format of subsearch results
When you use a subsearch, the format
command is implicitly applied to your subsearch results. The format
command changes the subsearch results into a single linear search string. This is used when you want to pass the values in the returned fields into the primary search.
If your subsearch returned a table, such as:
| field1 | field2 | ------------------- event/row1 | val1_1 | val1_2 | event/row2 | val2_1 | val2_2 |
The format
command returns:
(field1=val1_1 AND field2=val1_2) OR (field1=val2_1 AND field2=val2_2)
For more information, see the format command.
Formatting exceptions
There are a couple of exceptions to the formatting that the format
command performs.
- All internal fields, fields that begin with a leading underscore ( _ ) character, are ignored and not formatted as a linear search string.
- If the name of a field is either
search
orquery
, the values of fields are rendered directly in the reformatted search string.
The search and query fields
You can rename a field to either search
or query
to change the format of the subsearch results. Renaming a field to search
or query
is a special use case. When you rename your fields to anything else, the subsearch returns the new field names that you specify.
Using the search field name
Use the search
field name and the format
command when you need to append some static data or apply an evaluation on the data in the subsearch. You can then pass the data to the primary search. For example, you rename the second field in the search results to search
, as shown in the following table:
| field1 | search | ------------------- event/row1 | val1_1 | val1_2 | event/row2 | val2_1 | val2_2 |
Then using the format
command returns:
(field1=val1_1 AND val1_2) OR (field1=val2_1 AND val2_2)
Instead of
(field1=val1_1 AND field2=val1_2) OR (field1=val2_1 AND field2=val2_2)
For multivalue fields, when you use the search
field name, the first value of the field is used as the actual search term.
Using the query field name
Use the query
field name when you want the values in the fields returned from the subsearch, but not the field names.
The query
field name is similarly to using the format
command. Instead of passing the field and value pairs to the main search, such as:
(field1=val1_1 AND field2=val1_2) OR (field1=val2_1 AND field2=val2_2)
Using the query
field name passes only the values:
(val1_1 AND val1_2) OR (val2_1 AND val2_2)
Examples
The following search looks for a value in the clID
field that is associated with a name token or field value. The clID value is then used to search for several sources.
index=myindex [search index=myindex host=myhost MyName | top limit=1 clID | fields clID ]
The subsearch returns the field and value in the format: ( (clID="0050834ja") )
To return only the value, 0050834ja
, rename the clID
field to search
in the subsearch. For example:
index=myindex [search index=myindex host=myhost MyName | top limit=1 clID | fields clID | rename clID as search ]
When the field is named search
or query
, the field name is dropped and the implicit | format
command at the end of the subsearch returns only the value.
If you return multiple values, such as specifying ...| top limit=3
, the subsearch returns each of the values with the boolean OR operator between the values. For example, if the previous search example used ...| top limit=3
, the values returned from the subsearch are ( ( value1 ) OR ( value2 ) OR ( value3 ) )
.
Use subsearch to correlate events | About transforming commands and searches |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403 (latest FedRAMP release), 9.2.2406
Feedback submitted, thanks!