topic Re: Use the results of subsearch to rename those results with other name in new search in Splunk Search

Use the results of subsearch to rename those results with other name in new search

paritoshs24 — Fri, 24 Jun 2022 05:33:41 GMT

Hi All,

I have this data in index 1

input	active	Idle
a	d	g
b	e	h
c	f	i

I have this data in index 2

input	TEST	pwr
a	d	1
b	e	2
c	f	3
a	g	4
b	h	5
c	i	6

Now i want to change these d , e, f to active and g, h, i to idle

so my data in index looks like this

input	TEST	pwr
a	active	1
b	active	2
c	active	3
a	idle	4
b	idle	5
c	idle	6

and then i want to run my final search.
I tried sub searches and all, but unable to do this.

I have given small example there are 100s of active and idle entries

Re: Use the results of subsearch to rename those results with other name in new search

ITWhisperer — Fri, 24 Jun 2022 06:53:54 GMT

Re: Use the results of subsearch to rename those results with other name in new search

gcusello — Fri, 24 Jun 2022 07:03:47 GMT

Hi @paritoshs24,

if the results of the first query is fixed or doesn't change frequently, you could save them in a lookup and use the lookup command to change the values of the second query, this is the best and easiest solution.

Otherwise if they are dynamic you could use the join command but I don't like it or group results using stats, something like this:

obviously the first rows are to populate my search, you have to consider after the fields command row.

In your case:

Ciao.

Giuseppe

Re: Use the results of subsearch to rename those results with other name in new search

paritoshs24 — Sun, 26 Jun 2022 07:38:53 GMT

Thanks for your answer...at the end i used selfjoin command ......Voila ! ITs done ! 🎉

Re: Use the results of subsearch to rename those results with other name in new search

paritoshs24 — Sun, 26 Jun 2022 07:44:25 GMT

Thanks !!

My queries/data base is not fixed.
I used selfjoin though as it made my life simpler thanks for your explanation too.