topic Re: how to use files got from one query as source in another query? in Splunk Search

How to use files got as results from one query as source in another query?

anooshac — Thu, 10 Mar 2022 15:51:41 GMT

Hi all,

I have 2 queries, from one i get a list of files and the other query should use these files as their source to get some results. The output of first queries may have a lot files and i want to use all of them together in the second query. Does anyone have idea of how to do this one?

Re: how to use files got from one query as source in another query?

gcusello — Thu, 10 Mar 2022 10:43:27 GMT

Hi @anooshac,

you could try something like this:

your_search_1 [ search your_search_2 | fields source ] | ...

If you could share both your searches I could be more detailed.

Ciao.

Giuseppe

Re: how to use files got from one query as source in another query?

anooshac — Thu, 10 Mar 2022 11:00:20 GMT

hi, this is the first query i m using to get the files. I want the recent file uploaded of the project. This will give the recent file name with the project name. I don't know if this is the right method to get recent file.

index=abc source=.......|rex field=source "/A/B/C/(?<project_name>[^/]*)/(?<project_name_file>[^/]*)" |stats latest(project_name_file) by project_name

The result will be having many files. I want to use all these files in another query.

index=abc source="All the files from previous query"|dedup name| chart count(name) as count by "Number"

I am not sure how to use all the files as source.

Re: how to use files got from one query as source in another query?

gcusello — Thu, 10 Mar 2022 11:05:40 GMT

Hi @anooshac,

please see my approach and adapt it to your use Case:

in few words, using the first search to filter the second search results, you have to put the first search in a subsearch, then be sure that the key field has the same name in both main and subsearch: for this reason I renamed latest(project_name_file) AS source.

Beware if the project_name_file has or not the full path that you should have in the source field of the main search.

Ciao.

Giuseppe

Re: how to use files got from one query as source in another query?

anooshac — Fri, 11 Mar 2022 04:51:00 GMT

I am getting as no results found. Will i be able to use this query if the inner query has more than 1 file as output? Is it because of that giving as no results found?

Re: how to use files got from one query as source in another query?

gcusello — Fri, 11 Mar 2022 07:31:50 GMT

Hi @anooshac,

as I said in my previous answer, probably the problem in in the format of the results, you should check the results of the two queries and see if they have the same format, e.g. have both the full path or not?

If they are different you have to modify the search to adapt to the different formats: e.g. use an asterisk or delete the full path and leave only the filename.

Ciao.

Giuseppe

Re: how to use files got from one query as source in another query?

anooshac — Fri, 11 Mar 2022 11:37:44 GMT

Sorry.. missed that part. It is working fine now. Thanks a lot for the help!

Re: how to use files got from one query as source in another query?

gcusello — Fri, 11 Mar 2022 11:43:57 GMT

Hi @anooshac,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉