https://community.splunk.com/t5/Splunk-Search/Use-extracted-field-in-a-subsearch/m-p/74695#M18847 <P>Hi, thanks for your answer. I'm not sure if this gives me the correct result. I would like to check if the same SessionID is used with a different IP-Adress.</P> Tue, 05 Apr 2011 18:07:12 GMT kochera 2011-04-05T18:07:12Z https://community.splunk.com/t5/Splunk-Search/Use-extracted-field-in-a-subsearch/m-p/74693#M18845 <P>Hi,</P> <P>I would like to combine two searches. The first one gives me the session-id which i would like to use in a second search, e.g. </P> <P>Query 1: index=main 123.123.123.156 source="/appl/log/www/access.log" |rex field=<EM>raw "\"\s\"(?[A-z,0-9,-.</EM>]+)"</P> <P>Query 2: index=main $SessionID$ source="/appl/log/www/access.log"</P> <P>Cheers, Andy</P> Tue, 05 Apr 2011 13:36:29 GMT https://community.splunk.com/t5/Splunk-Search/Use-extracted-field-in-a-subsearch/m-p/74693#M18845 kochera 2011-04-05T13:36:29Z https://community.splunk.com/t5/Splunk-Search/Use-extracted-field-in-a-subsearch/m-p/74694#M18846 <P>Hi kochera</P> <P>you could use something like that (I used a different regex for this example!):</P> <P>index="main" 123.123.123.156 source="/appl/log/www/access.log" [search index="main" source="/appl/log/www/access.log" | rex field=_raw "(?i)^(?:[^-]*-){5}\s+(?P.+)" | fields requestid ]</P> <P>the sub search will result in a list of:</P> <P><EM>( ( requestid="xxxxxxxxxxxxxxxxx" ) OR ( requestid="xxxxxxxxxxxx" ) OR ( requestid="xxxxxxxxx" ) )</EM></P> <P>and this will be used in the search.</P> <P>hope this helps</P> <P>MuS</P> Tue, 05 Apr 2011 17:21:17 GMT https://community.splunk.com/t5/Splunk-Search/Use-extracted-field-in-a-subsearch/m-p/74694#M18846 MuS 2011-04-05T17:21:17Z https://community.splunk.com/t5/Splunk-Search/Use-extracted-field-in-a-subsearch/m-p/74695#M18847 <P>Hi, thanks for your answer. I'm not sure if this gives me the correct result. I would like to check if the same SessionID is used with a different IP-Adress.</P> Tue, 05 Apr 2011 18:07:12 GMT https://community.splunk.com/t5/Splunk-Search/Use-extracted-field-in-a-subsearch/m-p/74695#M18847 kochera 2011-04-05T18:07:12Z https://community.splunk.com/t5/Splunk-Search/Use-extracted-field-in-a-subsearch/m-p/74696#M18848 <P>well then just leave the IP away in the main search, then you should see any SessionID of any IP.</P> Tue, 05 Apr 2011 18:41:49 GMT https://community.splunk.com/t5/Splunk-Search/Use-extracted-field-in-a-subsearch/m-p/74696#M18848 MuS 2011-04-05T18:41:49Z https://community.splunk.com/t5/Splunk-Search/Use-extracted-field-in-a-subsearch/m-p/74697#M18849 <P>yes, that's what I'm trying at the moment</P> <P>index=main source="/appl/log/www/access.log" [search index=main source="/appl/log/www/access.log" "123.123.123.156" |rex field=<EM>raw "\"\s\"(?<SESSIONID>[A-z,0-9,-.</SESSIONID></EM>]+)"| fields + sessionid]</P> <P>But somehow I don't get any results...</P> Tue, 05 Apr 2011 18:53:30 GMT https://community.splunk.com/t5/Splunk-Search/Use-extracted-field-in-a-subsearch/m-p/74697#M18849 kochera 2011-04-05T18:53:30Z https://community.splunk.com/t5/Splunk-Search/Use-extracted-field-in-a-subsearch/m-p/74698#M18850 <P>okay leave the IP completely away in any search; but then I wonder why are you using a sub search anyway?</P> Tue, 05 Apr 2011 19:36:15 GMT https://community.splunk.com/t5/Splunk-Search/Use-extracted-field-in-a-subsearch/m-p/74698#M18850 MuS 2011-04-05T19:36:15Z https://community.splunk.com/t5/Splunk-Search/Use-extracted-field-in-a-subsearch/m-p/74699#M18851 <P>if I leave the IP away, then I see results but as you mentioned, this doesn't make any sense...</P> Tue, 05 Apr 2011 19:51:14 GMT https://community.splunk.com/t5/Splunk-Search/Use-extracted-field-in-a-subsearch/m-p/74699#M18851 kochera 2011-04-05T19:51:14Z