topic Re: search a result and then a field value create array and pass 1 by 1 in another search query at same time in Splunk Search

search a result and then a field value create array and pass 1 by 1 in another search query at same time

varunawasthi9 — Mon, 29 Jul 2019 19:35:31 GMT

Hi All,

is this doable that a search request give a list of results in that a filed will have order id those are list of order ids and those need to pass 1 by 1 on next Query

first search gives me

1 abc
2 efg
3 eeg

from thay pass 1 by 1 in another search at the same time

like index=xyz 1 create

Re: search a result and then a field value create array and pass 1 by 1 in another search query at same time

richgalloway — Mon, 29 Jul 2019 19:59:41 GMT

Can you explain in more detail your use case? What you describe could be an example of subsearch or map (or something else), but we need more information.

Re: search a result and then a field value create array and pass 1 by 1 in another search query at same time

solarboyz1 — Mon, 29 Jul 2019 20:49:13 GMT

IIt sounds like map is the command you are looking for: https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Map

It sounds like you would like to do something like

index=sales | stats sum(sales) as sales by product_id | map search="search index=product_details id=$product_id$"

Each product_id returned by the search:

 index=sales | stats sum(sales) as sales by product_id

Will be run through the search

index=product_details id=$product_id$

Re: search a result and then a field value create array and pass 1 by 1 in another search query at same time

varunawasthi9 — Mon, 29 Jul 2019 21:08:07 GMT

And if adding to above I need that from the array list if something not present from the list how to achieve that

Re: search a result and then a field value create array and pass 1 by 1 in another search query at same time

jacobpevans — Wed, 30 Sep 2020 01:31:47 GMT

You would need to start with a search that returns all possible values and join that to your search. In our environment, this is generally a lookup. Here's an example that you can try in your environment.

| makeresults count=10
| eval product_id=random()%10+1
| join type=left max=0 product_id [
    | makeresults count=10
    | eval product_id=random()%5+1
    | stats count by product_id ]
| fillnull

Using @solarboyz1 's example, it would look something like the command below where the "product_ids" lookup has a column called "product_id".

| inputlookup product_ids
| join type=left max=0 product_id [
    | search index=sales
    | stats sum(sales) as sales by product_id
    | map search="search index=product_details id=$product_id$" ]
| fillnull