topic Re: How to concat all rows in a single field able and use the result in another "search port IN" in Splunk Search

How to concat all rows in a single field able and use the result in another "search port IN"

vsasdao — Fri, 22 Jan 2021 12:11:41 GMT

In my Search 1, it will list all unique port numbers associated with a certain IP address, i.e. 1.2.3.4

"MYTOKEN is: fcd4e600-eda2-4ee0-a3b3-093562f49c2e" | rex "1.2.3.4:(?<ipport>.*?) " | dedup ipport | table ipport | table ipport

And then I'd like to concatenate those ports into one long string delimitated with "," that is, "57432, 57453,57198" and finally this concatenated string will be used in another search, i.e

It will be really appreciated if someone could shed the light of how it can be solved. thanks in advance!

Re: How to concat all rows in a single field able and use the result in another "search port IN"

scelikok — Fri, 22 Jan 2021 12:22:44 GMT

Hi @vsasdao,

Please try below query;

If this reply helps you an upvote is appreciated.

Re: How to concat all rows in a single field able and use the result in another "search port IN"

vsasdao — Fri, 22 Jan 2021 17:16:30 GMT

it works well. Can you explain a bit how you've fixed it?

Re: How to concat all rows in a single field able and use the result in another "search port IN"

scelikok — Sat, 23 Jan 2021 13:23:38 GMT

Great!

Subsearches formats the results into a single linear search string. You can this string by running the subsearch by adding "| format" command at the end. I changed field name to port to create suitable search string from subsearch.

You can find more detail in below doc.

https://docs.splunk.com/Documentation/SplunkCloud/8.1.2011/Search/Changetheformatofsubsearchresults