topic Re: Pass arguments between two searches, different sources in Splunk Search

Pass arguments between two searches, different sources

atanasmitev — Sat, 06 Dec 2014 11:31:08 GMT

I am trying to perform a "for loop" splunk style, with two sources: source1 , source2. The searches right now looks like this:

1. source="source1" param1=value1 param2=value2 | stats values(token). I need the token for the next :

2. source="source2" param4="*" token

I tried ( but returns error: "Error in 'map': Did not find value for required attribute 'token":

source="source1" param1=value1 param2=value2 | stats values(token) | 
map maxsearches=10 search="search source="source2" param4="*"  token=$token$ | 
stats values(param4) by token "

Where am I wrong, and is there a way to optimize this ?
I tried source1 OR source2, but then I need multiple OR ( AND ( OR))) clauses to match multiple needed parameters.

Thanks in advance,

Re: Pass arguments between two searches, different sources

martin_mueller — Sat, 06 Dec 2014 13:40:36 GMT

You're basically trying to use results from one search to filter the next? No problem with subsearches:

source="source2" param4="*" [search source="source1" param1=value1 param2=value2 | fields token | dedup token]

Open the job inspector to see the expression being returned by the subsearch, it'll be a huge ((OR))-behemoth.

Re: Pass arguments between two searches, different sources

atanasmitev — Mon, 28 Sep 2020 18:20:18 GMT

True, but your way doesn't seem to be working.

The way I tried to do it , search 1 would return a list or single token like so:

tok_en1
tok_en2

What search 2 does is, foreach tok_en* get logged error message. It seems I need more time

Re: Pass arguments between two searches, different sources

martin_mueller — Sat, 06 Dec 2014 16:04:54 GMT

Do both sources have an extracted field token?

Re: Pass arguments between two searches, different sources

atanasmitev — Sun, 07 Dec 2014 11:12:30 GMT

Sorry for the delay.
Yes, both searches have "token" extracted.
I can manually perform search1- copy/paste "token" in search2, but I'd like to automate.

Re: Pass arguments between two searches, different sources

martin_mueller — Sun, 07 Dec 2014 11:37:58 GMT

That's exactly what the search-subsearch combo in my answer does.

Re: Pass arguments between two searches, different sources

atanasmitev — Sun, 07 Dec 2014 12:49:38 GMT

The " [ inner search ] " returns the token alright , however it seems that the outer one doesn't understand the token provided ... I accepted your answer, as it seems the problem is related to my splunk instance 🙂

Re: Pass arguments between two searches, different sources

martin_mueller — Sun, 07 Dec 2014 14:02:22 GMT

Do post the exact search you're running and the debug info shown at the top of the job inspector.

Re: Pass arguments between two searches, different sources

atanasmitev — Fri, 19 Dec 2014 00:32:31 GMT

The working solution looks like this (note, results may vary, depending on what fields you have extracted) :

index=common_index  source=source2 param5 param4="*"  
[ 
  search index=common_index source=source1 param1=value1 param2=value2  
|stats values(token) as omg 
|rename omg as query 
] 
| stats values(param4) by token

This thing returns results like so :

param4_value1  token1
param4_value2  token2
param4_value2  token3

etc.

martin_mueller, thanks one more time for helping 🙂