topic Deriving one event from another in Splunk Search https://community.splunk.com/t5/Splunk-Search/Deriving-one-event-from-another/m-p/461786#M191435 <P>Hi, pardon if my question is too obvious, am a Splunk noob.<BR /> My requirement is:<BR /> I have a search String , example "Error occured in getting ID....". In the result log of this search is included a unique ID (there are multiple logs for each time that searh string is matched, unique ID different for all such logs). <BR /> I want to further search for one specific log that has same unique ID plus some other text.</P> <P>E.g - This is search string query:</P> <PRE><CODE>index=index "Error finding xID for ID:" | dedup uniquId </CODE></PRE> <P>This is one block of the result:</P> <PRE><CODE>{"level":"ERROR","uniqueId":"48b3825e993981df25d13670 1", "message":"Error finding xID for ID:1234"} </CODE></PRE> <P>What I require is, to be able to further search based on uniqueId in log dynamcially.<BR /> E.g:</P> <PRE><CODE>| &lt;uniqueId&gt; "some other search string" </CODE></PRE> Tue, 31 Mar 2020 05:54:31 GMT akki2428 2020-03-31T05:54:31Z Deriving one event from another https://community.splunk.com/t5/Splunk-Search/Deriving-one-event-from-another/m-p/461786#M191435 <P>Hi, pardon if my question is too obvious, am a Splunk noob.<BR /> My requirement is:<BR /> I have a search String , example "Error occured in getting ID....". In the result log of this search is included a unique ID (there are multiple logs for each time that searh string is matched, unique ID different for all such logs). <BR /> I want to further search for one specific log that has same unique ID plus some other text.</P> <P>E.g - This is search string query:</P> <PRE><CODE>index=index "Error finding xID for ID:" | dedup uniquId </CODE></PRE> <P>This is one block of the result:</P> <PRE><CODE>{"level":"ERROR","uniqueId":"48b3825e993981df25d13670 1", "message":"Error finding xID for ID:1234"} </CODE></PRE> <P>What I require is, to be able to further search based on uniqueId in log dynamcially.<BR /> E.g:</P> <PRE><CODE>| &lt;uniqueId&gt; "some other search string" </CODE></PRE> Tue, 31 Mar 2020 05:54:31 GMT https://community.splunk.com/t5/Splunk-Search/Deriving-one-event-from-another/m-p/461786#M191435 akki2428 2020-03-31T05:54:31Z Re: Deriving one event from another https://community.splunk.com/t5/Splunk-Search/Deriving-one-event-from-another/m-p/461787#M191436 <P>Like this:</P> <PRE><CODE>some other search string AND [ search index=index "Error finding xID for ID:" | dedup uniquId | table uniquId ] </CODE></PRE> Tue, 31 Mar 2020 06:07:15 GMT https://community.splunk.com/t5/Splunk-Search/Deriving-one-event-from-another/m-p/461787#M191436 woodcock 2020-03-31T06:07:15Z