topic Re: how to create a single search where the output of the first query should act as input to the second query. in Splunk Search

how to create a single search where the output of the first query should act as input to the second query.

dina1701 — Mon, 27 Mar 2017 13:27:00 GMT

We have two indexers in place. index=A & index=B. From index=A I have queried out the field which I want the value for.
index=A | search PC="*" | table ReqID index, this will return value to the field ReqID. Lets say ReqID=X.

Now I have to use the value of the above field ReqID=X and search in another index=B. In the index=B the same value carries a field name called RequestersID=X.

I have to create a search query in such way that output from the first index should automatically serve the purpose as input to the second index=B and provide a combine result in the form of table.
| table ReqID RequestersID index

Re: how to create a single search where the output of the first query should act as input to the second query.

somesoni2 — Mon, 27 Mar 2017 14:11:42 GMT

You need to use subsearch like this

index=B [search index=A | search PC="*" | table ReqID | rename reqID as RequestersID ] | table RequesterID index

Since you're looking for events which has same RequesterID as ReqID in index A, both fields in your final table ReqID and RequestersID will be same, so I've not added it. If you need it , just add | eval ReqID =RequesterID at the end.

Re: how to create a single search where the output of the first query should act as input to the second query.

dina1701 — Wed, 29 Mar 2017 11:55:01 GMT

Thanks somesoni2 for replying. Can you please anything further on this to obtain the results

I have tried executing this command, I was quite unsuccessful as there no events getting written
index=orsapps [ search index=esbapps | search E2E_busProcID="D1 7SH" | table ReqID | rename ReqID as RequestersID ] | rex "RequestersID>(?[^<]*)" | table RequestersID _time index

But when I type individual queries I am able to see the table -
index=orsapps
| rex "RequestersID>(?[^<]*)"
| table RequestersID _time index

Result -
RequestersID _time index
0610479853358211 2017-03-27 11:28:00 orsapps
0610479853358211 2017-03-27 11:28:00 orsapps
0610479853358211 2017-03-27 11:28:00 orsapps
0610479853358211 2017-03-27 11:28:00 orsapps
0610467479012357 2017-03-27 11:27:48 orsapps
0610467479012357 2017-03-27 11:27:48 orsapps
0610467479012357 2017-03-27 11:27:48 orsapps
0610467479012357 2017-03-27 11:27:48 orsapps

Individual subquery result -
search index=esbapps | search E2E_busProcID="D1 7SH" | table ReqID | rename ReqID as RequestersID

RequestersID _time index
0610479853358211 2017-03-27 11:29:06 esbapps
2017-03-27 11:29:06 esbapps
2017-03-27 11:29:06 esbapps
0610479853358211 2017-03-27 11:29:05 esbapps
0610467479012357 2017-03-27 11:28:55 esbapps
2017-03-27 11:28:54 esbapps
2017-03-27 11:28:54 esbapps
0610467479012357 2017-03-27 11:28:53 esbapps

Output of the first query is to be servered as the input to the first query. Can you please help me in getting all in a same table as in the final result. Final table format -
RequestersID _time index
xxxxx xxxxx esbapps
xxxxx xxxxx orsapps