topic Re: Pass the output of one query to another query in Splunk Search

Pass the output of one query to another query

Deepz2612 — Tue, 12 Feb 2019 11:02:55 GMT

Hi,
My 1st query returns 3 fields output.Out of which one filed has to be given as input to the second query which fetches 3 fields along with this result value.
Kidnly help

Re: Pass the output of one query to another query

chrisyounger — Tue, 12 Feb 2019 11:06:41 GMT

Try this as a starting point: YOUR_SEARCH | append [SECOND SEARCH]

You need to supply more details if you want better help.

Re: Pass the output of one query to another query

MoniM — Tue, 12 Feb 2019 11:21:59 GMT

Hi @Deepz2612 ,
You can go through these documentations of sub-search:-

https://docs.splunk.com/Documentation/Splunk/5.0/Tutorial/Useasubsearch

https://www.splunk.com/blog/2012/11/05/book-excerpt-finding-specific-transactions.html

Thanks

Re: Pass the output of one query to another query

Deepz2612 — Tue, 29 Sep 2020 23:12:54 GMT

I have events like below with Job name and Incident number

Index= abc
Job: scdefgh_tal1080_d_b
App: YSC
Incident_Create_Number: INC0000XXXXXXXX

So I wrote a query to extract them as below:
index=abc |rex field=notes "Job:(?.*)\nApp" |table Job Incident_Create_Number Incident_Create_Assigned_Group

I have events where like below having Job name and its status
Index= xyz
CAUAJM_I_40245 EVENT: CHANGE_STATUS STATUS: TERMINATED JOB: iascamdsp_tal1080_d_b

So I wrote a query to extract them as below:
index=xyz | rex "]\s+(?\S+)\s+(?:((EVENT:)?\s(?\S+)\s+(STATUS:)?\s+(?\S+)\s+(JOB:)?\s+(?\S+)(\s+(MACHINE:)?\s+(?\S+))?(\s+(EXITCODE:)?\s+(?\S+))?))" |search event_1="CHANGE_STATUS" |table Job Job_Status

Now I wanted to combine both.For the Job name in the first query I want its status from the second query.
I tried using Join but its not returning any results.
Kindly help!

Re: Pass the output of one query to another query

DMohn — Tue, 12 Feb 2019 13:17:18 GMT

<your second query> [ search <your first query> | return <your field>] | table <your other fields>

The first query needs to go as a subsearch (the part in []) and return the needed field back to the main search (which in your case is the second query). You can select which field to use as a result in the main search with the return command. Normally it would look something like "field=value1 OR field=value2 OR ...."
If you need another return format, please refer to the command documentation: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Return

Re: Pass the output of one query to another query

DMohn — Tue, 12 Feb 2019 13:40:00 GMT

I assume you will have to use a join here:

index=abc |rex field=notes "Job:(?.*)\\nApp" | join Job [ index=xyz | rex "]\s+(?\S+)\s+(?:((EVENT:)?\s(?\S+)\s+(STATUS:)?\s+(?\S+)\s+(JOB:)?\s+(?\S+)(\s+(MACHINE:)?\s+(?\S+))?(\s+(EXITCODE:)?\s+(?\S+))?))" |search event_1="CHANGE_STATUS" |fields Job Job_Status] | table Job  Job_Status Incident_Create_Number Incident_Create_Assigned_Group

Re: Pass the output of one query to another query

Deepz2612 — Wed, 13 Feb 2019 07:38:11 GMT

Hi,

The above doesnt seem to work.It returns me 0 results.