topic Re: Retrieving data from one query and using it to find data from another in Splunk Search

Retrieving data from one query and using it to find data from another

momagic — Fri, 31 Jan 2025 22:31:15 GMT

I have a query From source A that i need to get a list of 3 parameters back and for one of these parameters which is a ID and i need to get the the actual name of the object from another query from source B using this ID. Eventually i need i want to create a table to print the 3 parameter including the name also. Any help would be greatly appreciated?

Re: Retrieving data from one query and using it to find data from another

gcusello — Sat, 01 Feb 2025 06:57:37 GMT

Hi @momagic ,

you have to use a subsearch:

create a main query containing the data to display,

adding as subsearch (putting it between square brackets and adding the search command at the beginning) the search containing the parameters,

then you can display the fields you want.

You have to put attention to two things:

at the end of the subsearch yo have to use a command as table or fields to list only the fields used as filters,
the fields from the subsearch must have exactly (case sensitive) the same names of the fields in the main search.

For example, if the fields to use to filter events are FieldA and FieldB but ib the subsearch there are also other fields, you should write:

index=index1 [ search index=index2 | fields FieldA FieldB ] | table _time host field1 field2 FieldA FieldB

If you haven't much experience on Splunk searches and you didn't followed a course (there are many free courses in Splunk), you could follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/SplunkCloud/9.3.2408/SearchTutorial/WelcometotheSearchTutorial) that explain how to use Splunk for searching, and here you can find a description of how to use subsearches https://docs.splunk.com/Documentation/SplunkCloud/9.3.2408/SearchTutorial/Useasubsearch

Ciao.

Giuseppe

Ciao.

Giuseppe

Re: Retrieving data from one query and using it to find data from another

yuanliu — Sat, 01 Feb 2025 07:37:09 GMT

To receive help in Splunk search, it is best to give more concrete information, even if you use mock names and values.

Assuming the two different sources are sourcetype sourceA and sourceB. The 3 parameters in sourceA are named "ID", "param2", and "param3". Further assume that sourceB has the same field name "ID" to match that in sourceA, and that "actual name of the object" is in field named "name". Assuming that all these fields are already extracted.

sourcetype IN (sourceA, sourceB) | stats values(name) as name values(param2) as param2 values(param3) as param3 by ID