https://community.splunk.com/t5/Splunk-Search/Pass-parameters-from-one-search-to-a-second/m-p/87272#M22332 <P>On a daily basis a series of publications are distributed to a number of different accounts. The list of publications changes on a daily basis and is never repeated. The publications are transferred by a server named jkcs1. I have a search that gathers the names of publications created in the past 24 hours from that server. That search looks like this:</P> <PRE> sourcetype="iis" jkcs1 /tm/ .pdf |makemv delim="/" cs_uri_stem | eval pubName=mvindex(cs_uri_stem,3) | fields pubName | stats list(pubName) </PRE> <P>I need a second search that will take the output from the first search (pubName) and tell me how many of those publications were downloaded by each account. Not all accounts will download the same number of publications. I have a search that works perfectly if I hardcode the publication name. It looks like this:</P> <PRE> sourcetype="iis" 01-110hcg-1b.pdf cs_username!="-" | eval cs_uri_stem=lower(cs_uri_stem) | chart count(cs_uri_stem) as Accounts by cs_uri_stem | rename cs_uri_stem as Publications | where Accounts &gt;1 </PRE> <P>The output looks like this:</P> <PRE> Publications Accounts 01-110hcg-1b.pdf 24 </PRE> <P>What I want is something that combines both searches so that the second part gathers data based on the pubName field from the first search. The output would then look like this:</P> <PRE> Publications Accounts 01-110hcg-1b.pdf 24 16-35mx3160-2.pdf 18 a1-v22ac-mrc-000.pdf 22 01-75pac-2-9.pdf 24 </PRE> <P>I’ve tried subsearches, appends, appendcols, outputcsv and inputcsv, map and just about everything else I can think of. I can easily get the list of publications but the Accounts column is always blank.</P> <P>Is it possible to do what I want?</P> Wed, 05 Oct 2011 18:33:00 GMT kmattern 2011-10-05T18:33:00Z https://community.splunk.com/t5/Splunk-Search/Pass-parameters-from-one-search-to-a-second/m-p/87272#M22332 <P>On a daily basis a series of publications are distributed to a number of different accounts. The list of publications changes on a daily basis and is never repeated. The publications are transferred by a server named jkcs1. I have a search that gathers the names of publications created in the past 24 hours from that server. That search looks like this:</P> <PRE> sourcetype="iis" jkcs1 /tm/ .pdf |makemv delim="/" cs_uri_stem | eval pubName=mvindex(cs_uri_stem,3) | fields pubName | stats list(pubName) </PRE> <P>I need a second search that will take the output from the first search (pubName) and tell me how many of those publications were downloaded by each account. Not all accounts will download the same number of publications. I have a search that works perfectly if I hardcode the publication name. It looks like this:</P> <PRE> sourcetype="iis" 01-110hcg-1b.pdf cs_username!="-" | eval cs_uri_stem=lower(cs_uri_stem) | chart count(cs_uri_stem) as Accounts by cs_uri_stem | rename cs_uri_stem as Publications | where Accounts &gt;1 </PRE> <P>The output looks like this:</P> <PRE> Publications Accounts 01-110hcg-1b.pdf 24 </PRE> <P>What I want is something that combines both searches so that the second part gathers data based on the pubName field from the first search. The output would then look like this:</P> <PRE> Publications Accounts 01-110hcg-1b.pdf 24 16-35mx3160-2.pdf 18 a1-v22ac-mrc-000.pdf 22 01-75pac-2-9.pdf 24 </PRE> <P>I’ve tried subsearches, appends, appendcols, outputcsv and inputcsv, map and just about everything else I can think of. I can easily get the list of publications but the Accounts column is always blank.</P> <P>Is it possible to do what I want?</P> Wed, 05 Oct 2011 18:33:00 GMT https://community.splunk.com/t5/Splunk-Search/Pass-parameters-from-one-search-to-a-second/m-p/87272#M22332 kmattern 2011-10-05T18:33:00Z https://community.splunk.com/t5/Splunk-Search/Pass-parameters-from-one-search-to-a-second/m-p/87273#M22333 <P>You need:</P> <PRE><CODE>sourcetype="iis cs_username!="-" [ search sourcetype="iis" jkcs1 /tm/ .pdf | makemv delim="/" cs_uri_stem | eval pubName=mvindex(cs_uri_stem,3) | fields pubName | rename pubName as query ] | eval cs_uri_stem=lower(cs_uri_stem) | chart count(cs_uri_stem) as Accounts by cs_uri_stem | rename cs_uri_stem as Publications | where Accounts &gt;1 </CODE></PRE> <P>You use a standard subsearch, but the trick is to name your field "query". I have no idea if this is even documented.</P> Wed, 05 Oct 2011 20:14:52 GMT https://community.splunk.com/t5/Splunk-Search/Pass-parameters-from-one-search-to-a-second/m-p/87273#M22333 gkanapathy 2011-10-05T20:14:52Z https://community.splunk.com/t5/Splunk-Search/Pass-parameters-from-one-search-to-a-second/m-p/87274#M22334 <P>Thanks! That's pretty close to what I want. I'll have to parse cs_uri_stem to remove the rest of the path for the file name. I have never seen anything about renaming teh field to "query" but if it works...</P> Mon, 28 Sep 2020 09:57:02 GMT https://community.splunk.com/t5/Splunk-Search/Pass-parameters-from-one-search-to-a-second/m-p/87274#M22334 kmattern 2020-09-28T09:57:02Z https://community.splunk.com/t5/Splunk-Search/Pass-parameters-from-one-search-to-a-second/m-p/87275#M22335 <P>It does get touched on in the docs a bit. <A href="http://docs.splunk.com/Documentation/Splunk/latest/User/HowSubsearchesWork">http://docs.splunk.com/Documentation/Splunk/latest/User/HowSubsearchesWork</A> under the section titled "change the format of subsearch results" (which is now that I look at it, a bit of a misleading title for this info).</P> Thu, 06 Oct 2011 03:15:02 GMT https://community.splunk.com/t5/Splunk-Search/Pass-parameters-from-one-search-to-a-second/m-p/87275#M22335 sideview 2011-10-06T03:15:02Z https://community.splunk.com/t5/Splunk-Search/Pass-parameters-from-one-search-to-a-second/m-p/87276#M22336 <P>YOU ARE AMAZING</P> Fri, 12 Jul 2013 20:20:13 GMT https://community.splunk.com/t5/Splunk-Search/Pass-parameters-from-one-search-to-a-second/m-p/87276#M22336 hiyer 2013-07-12T20:20:13Z