topic Re: Search result as input to another search in Splunk Search

Search result as input to another search

mcm10285 — Tue, 03 Jul 2012 08:20:20 GMT

Hi, anybody has an idea on how to get a value from one search and input it to another search, then display them in a table? Sample below.

I’ll search for IP_Address on 1st search, then take that into 2nd search and find the Hostnames of those ip address…then display them

Search1:

sourcetype=srctype1 OR sourcetyp=srctype2 dstIP=1.1.1.1 OR dstIP=2.2.2.2|fields + srcIP dstIP|stats count by srcIP

Search2:

sourcetype=srctype3 (input srcIP from Search1)|fields + Hostname|stats count by srcIP Hostname

Display Table:

srcIP__________Hostname

a.b.c.d_______________abcd

Re: Search result as input to another search

Ayn — Mon, 30 Oct 2023 17:22:09 GMT

This is exactly what subsearches were made for. Have a look at the docs that cover this:
https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/Useasubsearch

Re: Search result as input to another search

ysouchon — Tue, 03 Jul 2012 11:32:25 GMT

I'm not sure if I understood your question, but you should try something like :

And see what you get. Let me know if it helps you.

Re: Search result as input to another search

mcm10285 — Thu, 28 Feb 2013 06:01:18 GMT

This is really an old post, but I'm still looking for a way here. The join doesn't seem to resolve this as it mixes the results.

Just to be exact, I want to match an IP address from a proxy log to a device name or username from AD logs since there is no device name in the proxy logs. I want to input the IP address seen in proxy logs to the AD logs search for device name.

Re: Search result as input to another search

mbenwell — Mon, 28 Sep 2020 13:24:51 GMT

As Ayn said, subsearch is what you want. Perform a subsearch for the proxy event then feed that into a search through ad logs. It should look something like:

sourcetype=ad_logs [search sourcetype=proxy_logs | fields ip_address] | table user ip_address

Keep in mind the above assumes your proxy logs have the ip address in a fields called ip_address, and your ad logs have the username and ip address in fields user and ip_address respectively

Re: Search result as input to another search

mcm10285 — Fri, 01 Mar 2013 02:27:56 GMT

I did try the subsearch, however i kept running into the error "Error in 'fields' command: Invalid argument: 'fieldname=field_value'.

Then I ran into one of the Answers on another post, saying I Should add "|rename field as query". This one doesn't go into errors but doesn't get results either.

I'm looking into a document about creating State Tables.

Thanks.

Re: Search result as input to another search

Ayn — Fri, 01 Mar 2013 08:04:26 GMT

Uh, wouldn't be better to put your energy into troubleshooting your syntax problems with the probably best approach to solving your problems, rather than trying something else just because you couldn't get it right?

Re: Search result as input to another search

mbenwell — Sat, 02 Mar 2013 02:00:07 GMT

When you get errors like that, you should read the search command reference for that command. Specifically, with regards to the fields command, you're not using it properly.

Fields command synopsis: Keeps or removes fields from search results.

Re: Search result as input to another search

mcm10285 — Tue, 25 Jun 2013 05:38:55 GMT

just trying to get back on old questions....subsearch is definitely the way to go but not efficient for multiple subsearch results.

Re: Search result as input to another search

tuxmein — Tue, 17 Jul 2018 16:03:48 GMT

The link in the Accepted Answer link text seems to no longer reach an answer to this question because of update to SPLUNK. When I try it I get page that says:

Hi! Just wanted to let you know:

The topic you've asked to see does not apply to the most recent version.

To search the latest version of the documentation, click Search