topic Re: Obtain data from one search and store it in a variable to search data in another search in Splunk Search

How to obtain data from one search and store it in a variable to search data in another search?

paritoshs24 — Tue, 21 Jun 2022 18:06:15 GMT

My search is like this

index = idx source = src data_stamp = A field1 = *lol* | table Field2
--> This generates a column with only value which i need to store in some $VAR

index = idx source = src data_stamp = B field1 = *lol* TEST = $VAR | table field 3

Re: Obtain data from one search and store it in a variable to search data in another search

paritoshs24 — Mon, 20 Jun 2022 16:31:57 GMT

@ITWhisperer

Re: Obtain data from one search and store it in a variable to search data in another search

richgalloway — Mon, 20 Jun 2022 16:56:56 GMT

Splunk doesn't have variables. One can use tokens in a dashboard for an equivalent function, but that's not available in SPL.

One alternative is a subsearch. A subsearch runs first and its results become part of the main search.

index = idx source = src data_stamp = B field1 = *lol* [ index = idx source = src data_stamp = A field1 = *lol* | return TEST=Field2 ] | table field 3

In this example, the subsearch is in square brackets and runs the specified search. The return command creates a result with the Field2 field renamed to TEST. The main search then becomes

index = idx source = src data_stamp = B field1 = *lol* TEST=foo | table field 3

Re: Obtain data from one search and store it in a variable to search data in another search

PickleRick — Mon, 20 Jun 2022 18:15:23 GMT

It's worth pointing out that subsearches have their own limitations and - especially with big searches - are best avoided. The same result can quite often be achieved another way.

Re: Obtain data from one search and store it in a variable to search data in another search

paritoshs24 — Tue, 21 Jun 2022 08:10:34 GMT

Hi .... Its working...thanks for the help.
One more thing to ad in subsearch :
Can I use IN command ??

index = idx source = src data_stamp = B field1 = *lol* [ index = idx source = src data_stamp IN (A B) field1 = *lol* | return TEST=Field2 ] | table field 3

I need to pass multiple values of data_stamp.

Re: Obtain data from one search and store it in a variable to search data in another search

paritoshs24 — Tue, 21 Jun 2022 08:12:00 GMT

Can you please point out how subsearch could be escaped ?

Re: Obtain data from one search and store it in a variable to search data in another search

richgalloway — Tue, 21 Jun 2022 13:22:25 GMT

Yes, the IN operator may be used in a subsearch.

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.