topic Re: How to pass a value extracted from a main search to a sub search from different source? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-pass-a-value-extracted-from-a-main-search-to-a-sub-search/m-p/443925#M125905 <P>Hi @vivek991985 <BR /> You can't pass a value from a main search to a sub search, it works the other way round.<BR /> That being said and from what I can understand try something like this - </P> <PRE><CODE>source ="FILE2.log" | eval id=[search source="FILE1.log" search_input | rex ".*]*Rpc id :(?[0-9][0-9][0-9][0-9][0-9][0-9])" |return $rpc_id] </CODE></PRE> <P>Basically, the eval gets executed first and whatever rex you are performing (assuming the rex works) gets assigned o the field id, you can then pipe on and do what you need with file2log source</P> Mon, 12 Aug 2019 16:24:59 GMT Sukisen1981 2019-08-12T16:24:59Z How to pass a value extracted from a main search to a sub search from different source? https://community.splunk.com/t5/Splunk-Search/How-to-pass-a-value-extracted-from-a-main-search-to-a-sub-search/m-p/443924#M125904 <P>Example:</P> <PRE><CODE>source="FILE1.log" search_input | rex ".*]*Rpc id :(?[0-9][0-9][0-9][0-9][0-9][0-9])" | append [search source ="FILE2.log" rpc_id] </CODE></PRE> Mon, 12 Aug 2019 14:47:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-pass-a-value-extracted-from-a-main-search-to-a-sub-search/m-p/443924#M125904 vivek991985 2019-08-12T14:47:02Z Re: How to pass a value extracted from a main search to a sub search from different source? https://community.splunk.com/t5/Splunk-Search/How-to-pass-a-value-extracted-from-a-main-search-to-a-sub-search/m-p/443925#M125905 <P>Hi @vivek991985 <BR /> You can't pass a value from a main search to a sub search, it works the other way round.<BR /> That being said and from what I can understand try something like this - </P> <PRE><CODE>source ="FILE2.log" | eval id=[search source="FILE1.log" search_input | rex ".*]*Rpc id :(?[0-9][0-9][0-9][0-9][0-9][0-9])" |return $rpc_id] </CODE></PRE> <P>Basically, the eval gets executed first and whatever rex you are performing (assuming the rex works) gets assigned o the field id, you can then pipe on and do what you need with file2log source</P> Mon, 12 Aug 2019 16:24:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-pass-a-value-extracted-from-a-main-search-to-a-sub-search/m-p/443925#M125905 Sukisen1981 2019-08-12T16:24:59Z Re: How to pass a value extracted from a main search to a sub search from different source? https://community.splunk.com/t5/Splunk-Search/How-to-pass-a-value-extracted-from-a-main-search-to-a-sub-search/m-p/443926#M125906 <P>Thank you @Sukisen1981 </P> Mon, 12 Aug 2019 17:33:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-pass-a-value-extracted-from-a-main-search-to-a-sub-search/m-p/443926#M125906 vivek991985 2019-08-12T17:33:03Z