https://community.splunk.com/t5/Splunk-Search/first-query-table-output-as-input-to-another-query/m-p/569962#M198665 <P>From your description it looks like your k8s_label is a field containing 4 lines of data, each line represents a field of its own. However, your where statement in your first query references 'id=&lt;xxx&gt;" where there is no id= component in that text.</P><P>What do you want as your final output?</P><P>However, in terms of using one query to filter another you can use a subsearch, e.g.</P><LI-CODE lang="markup">index=&lt;index_name&gt; "server failed" [ search index=&lt;index_name&gt; sourcetype=&lt;sourcetype_name&gt; | rex field=k8s_label "(?s)project_id=(?&lt;Project_id&gt;\d+)" | fields Project_id ]</LI-CODE><P>&nbsp;which will use the Project_id from the subsearch as a filter to the outer search for server failed, but I am not clear if this is what you need. Can you clarify your data and expected output.</P><P>&nbsp;</P> Wed, 06 Oct 2021 21:36:18 GMT bowesmana 2021-10-06T21:36:18Z https://community.splunk.com/t5/Splunk-Search/first-query-table-output-as-input-to-another-query/m-p/569957#M198661 <P>Hello,</P><P>&nbsp;</P><P>Can i please know how to parse the value to the 2nd query from the output of 1st query. Any help would be appreciated.</P><P>&nbsp;</P><P><STRONG>1st query:</STRONG></P><P>index=&lt;index_name&gt;&nbsp; sourcetype=&lt;sourcetype_name&gt; | table k8s_label | where k8s_label="id=&lt;id_number&gt;"</P><P>&nbsp;</P><P><STRONG>1st Query Output:</STRONG></P><DIV class="multivalue-subcell">name=peter</DIV><DIV class="multivalue-subcell"><U><EM>project_id=123</EM></U></DIV><DIV class="multivalue-subcell">user_id=2700835661</DIV><DIV class="multivalue-subcell">zone=us-west-2a</DIV><P>&nbsp;</P><P><STRONG>2nd Query</STRONG>:</P><P>index=&lt;index_name&gt;&nbsp; "server failed" <EM>Project_id=&lt;need to get project_id&nbsp; from the result of 1st query Output&gt;</EM></P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P> Wed, 06 Oct 2021 20:57:46 GMT https://community.splunk.com/t5/Splunk-Search/first-query-table-output-as-input-to-another-query/m-p/569957#M198661 vadlamudi 2021-10-06T20:57:46Z https://community.splunk.com/t5/Splunk-Search/first-query-table-output-as-input-to-another-query/m-p/569962#M198665 <P>From your description it looks like your k8s_label is a field containing 4 lines of data, each line represents a field of its own. However, your where statement in your first query references 'id=&lt;xxx&gt;" where there is no id= component in that text.</P><P>What do you want as your final output?</P><P>However, in terms of using one query to filter another you can use a subsearch, e.g.</P><LI-CODE lang="markup">index=&lt;index_name&gt; "server failed" [ search index=&lt;index_name&gt; sourcetype=&lt;sourcetype_name&gt; | rex field=k8s_label "(?s)project_id=(?&lt;Project_id&gt;\d+)" | fields Project_id ]</LI-CODE><P>&nbsp;which will use the Project_id from the subsearch as a filter to the outer search for server failed, but I am not clear if this is what you need. Can you clarify your data and expected output.</P><P>&nbsp;</P> Wed, 06 Oct 2021 21:36:18 GMT https://community.splunk.com/t5/Splunk-Search/first-query-table-output-as-input-to-another-query/m-p/569962#M198665 bowesmana 2021-10-06T21:36:18Z