topic How to use output of a 1st query as input in second query. in Splunk Search

How to use output of a 1st query as input in second query.

satyajit7 — Wed, 14 Apr 2021 14:26:44 GMT

I have a 1st query by taking input from the dashboard and where I got id as a result from that. And I want to use that id fetch from the 1st query , in my 2nd query as input and show the required fileds which is available in 2nd query on dashboard.

N.B:- I know join but facing issue in how to pass that id as a variable to the 2nd query

Actually it need to be work on a dashboard.

Can someone please help.

@niketn

Re: How to use output of a 1st query as input in second query.

scelikok — Wed, 14 Apr 2021 06:39:27 GMT

Hi @satyajit7,

You can use 1nd query as a subsearch or use map command. If you can share your sample queries, we can help to build the query.

Re: How to use output of a 1st query as input in second query.

satyajit7 — Wed, 14 Apr 2021 10:39:56 GMT

Thanks @scelikok for the reply.

Mu sample query

1st query

...| rex "txnid".{5}(?<TXNID>.*?(?=\\\))"|dedup TXNID

2nd query

... Need to pass that TXNID here | rex "custid".{5}(?<custid>.*?(?=\\\))"| rex "custname".{5}(?<custname>.*?(?=\\\))"| rex "pdate".{5}(?<pdate>.*?(?=\\\))"|table custid, custname, pdate| rename custid as CustomerID, custname as Customer Name, pdate as Purchase Date

NB:-

I will use this in the dashboard. In the dashboard I have one input text and a date filed which user need to provide. User will provide account id which need to be on 1st query based on the account and time stamo it will fetch the txnid and using that txnid need to fetch and show in the dashboard.

Re: How to use output of a 1st query as input in second query.

scelikok — Wed, 14 Apr 2021 18:15:50 GMT

You can try below with only one search, subsearch output will be used as a filter for your second query. You can play with the token places according to your searches.

... | search [ search $token_account_id$ earliest=$token_time.earliest$ latest=$token_time.latest$| rex "txnid".{5}(?<TXNID>.*?(?=\\\))"|dedup TXNID | fields TXNID ] | rex "custid".{5}(?<custid>.*?(?=\\\))"| rex "custname".{5}(?<custname>.*?(?=\\\))"| rex "pdate".{5}(?<pdate>.*?(?=\\\))"|table custid, custname, pdate| rename custid as CustomerID, custname as Customer Name, pdate as Purchase Date

Re: How to use output of a 1st query as input in second query.

satyajit7 — Thu, 15 Apr 2021 05:41:08 GMT

Thanks for your reply. I tried this subsearch approach but seems it didn't give me any results

Re: How to use output of a 1st query as input in second query.

satyajit7 — Thu, 15 Apr 2021 05:47:53 GMT

@scelikok thanks so much. I just put join instead of | search and it worked magically.

My final query will be like

... | Join [ search $token_account_id$ earliest=$token_time.earliest$ latest=$token_time.latest$| rex "txnid".{5}(?<TXNID>.*?(?=\\\))"|dedup TXNID | fields TXNID ] | rex "custid".{5}(?<custid>.*?(?=\\\))"| rex "custname".{5}(?<custname>.*?(?=\\\))"| rex "pdate".{5}(?<pdate>.*?(?=\\\))"|table custid, custname, pdate| rename custid as CustomerID, custname as Customer Name, pdate as Purchase Date

Re: How to use output of a 1st query as input in second query.

satyajit7 — Thu, 15 Apr 2021 08:30:26 GMT

@Anonymous can you please help me. Still I'm facing issue to use the output of the 1st query in my 2nd query.

And my 2nd query is complex one as it contains 3 join query but all 3 required txn id as input also

Re: How to use output of a 1st query as input in second query.

sloshburch — Thu, 15 Apr 2021 16:40:34 GMT

Hi, this is Burch. It looks like there is an accepted answer and others are already actively working with you on this. Is that not the case? If not, then perhaps un-accept the answer and let's make it clear that all are able to help you rather than specific people.