![]() It is two separate searches that has to crank through the data and timeframe twice. Return Command in Splunk Return command basically returns the result from the sub search to your main search. To see this run the sub-search separately in its own search window.įair warning, if you are churning through something like firewall logs, this will not be very fast. The format command will create a formatted sub-search (the default is (field=value OR field=value) however you can use this command to create sub-searches like ((field=value OR field=value) AND (field=value)) etc. Rename the sub-search field to match the original data field I know all the MAC address from query 1 will not be fo. Im trying to return multiple fields by way of using a subsearch. Hi All, Im extremely new to Splunk and have been tasked to do the following: Perform a query against one host (Server123) to retrieve MAC addresses then preform a query on a second host (Server456) using the MAC addresses from the first query. Returns a list of up to 100 values of the field X as a multivalue entry. The return command is used to pass values up from a subsearch. Use stats to pull a list of unique dest_ips Working with multiple indexes An index in Splunk is a storage pool for events. Initiate the sub-search: As previously stated Splunk will process this first. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |