My sub search contains this predefined field, and I'm trying to use it to search my main search that gets the field using rex, but I get no results.
I've tried a few different things:
host=blah... [search...| table my_field] | rex field=_raw "...<my_field>..."
host=blah... |rex field=_raw "...<my_field>..." | regex [search... | table my_field]
host=blah... | rex field=_raw "...<my_field>..." | regex my_field=[search...| table my_field]
Anyone know how I can go about this?
if my_field is the required field from the sub-search, try,
host=blah... |join my_field [search...| table my_field] | ..
Have u tried the below?
host=blah... |rex field=_raw "...<my_field>..." | search [search... | table my_field]
Also, If you define your rex in props.conf you can also remove the rex part. As splunk will automatically extract the field at search time!
if you're trying to use a subsearch to scrub the result set of your root search that has a | rex command in it for that field it will not work.
a sub search is a completely different search, not reliant on the result set of any previous search, so it creates it's own result set.
One way to do what you're asking in Splunk, is to make the field in props.conf
[mysourcetype]
EXTRACT-myfield = "my_regex_extraction"
then depending on what you're doing, maybe using a | streamstats or | eventstats command
