https://community.splunk.com/t5/Splunk-Search/How-to-create-a-query-using-values-that-come-from-the-result-of/m-p/193384#M55646 <P>Assuming you have the field RequestID extracted for both Request and Response XML data, try something like this</P> <PRE><CODE>your base search to get request xml [search your base search to get Response xml | table RequestID ] | rest of the search </CODE></PRE> <P>THe subsearch will get list of RequestID and make a giant OR condition , which will filter the data from your base search which is for Requests.<BR /> <STRONG><EM>Update</EM></STRONG><BR /> Try something like this</P> <PRE><CODE>your base search to get Response XML | rex field=_raw "requestID\&gt;(?&lt;RequestId&gt;[^\&lt;])" | eval search="requestID\&gt;".RequestId | table search] | rest of the search </CODE></PRE> Tue, 25 Aug 2015 22:45:42 GMT somesoni2 2015-08-25T22:45:42Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-query-using-values-that-come-from-the-result-of/m-p/193383#M55645 <P>Hello,</P> <P>So I'm logging xml requests and responses as raw strings into splunk. To get the responses searching, among other things, the following string:</P> <PRE><CODE> &gt;response&lt;/ </CODE></PRE> <P>This results of this will have a value that will help me link them to the request associated to that response. My question is, how can I search for the requests associated to those specific results.</P> <P>So for example, my first query returns 100 responses with different unique "RequestID", how do i find the 100 requests that have that "RequestID".</P> <P>Thanks</P> Tue, 25 Aug 2015 20:58:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-query-using-values-that-come-from-the-result-of/m-p/193383#M55645 HomelessMonkey 2015-08-25T20:58:27Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-query-using-values-that-come-from-the-result-of/m-p/193384#M55646 <P>Assuming you have the field RequestID extracted for both Request and Response XML data, try something like this</P> <PRE><CODE>your base search to get request xml [search your base search to get Response xml | table RequestID ] | rest of the search </CODE></PRE> <P>THe subsearch will get list of RequestID and make a giant OR condition , which will filter the data from your base search which is for Requests.<BR /> <STRONG><EM>Update</EM></STRONG><BR /> Try something like this</P> <PRE><CODE>your base search to get Response XML | rex field=_raw "requestID\&gt;(?&lt;RequestId&gt;[^\&lt;])" | eval search="requestID\&gt;".RequestId | table search] | rest of the search </CODE></PRE> Tue, 25 Aug 2015 22:45:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-query-using-values-that-come-from-the-result-of/m-p/193384#M55646 somesoni2 2015-08-25T22:45:42Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-query-using-values-that-come-from-the-result-of/m-p/193385#M55647 <P>Sadly the whole thing is just a raw string so it's more like:</P> <PRE><CODE>[rest of the xml]&lt;requestId&gt;value&lt;/requestid&gt;..[rest of the xml] </CODE></PRE> Tue, 25 Aug 2015 23:22:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-query-using-values-that-come-from-the-result-of/m-p/193385#M55647 HomelessMonkey 2015-08-25T23:22:06Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-query-using-values-that-come-from-the-result-of/m-p/193386#M55648 <P>I just tried your Updated code as suggested and I'm getting parser errors. Trying to look up in the documentation, just to be sure my query is looking something like this</P> <PRE><CODE>responseQuery | rex field=_raw "requestID\&gt;(?&lt;RequestId&gt;[^\&lt;])" | eval search="requestID\&gt;".RequestId | table search] | requestQuery </CODE></PRE> <P>Getting a "mismatched ]" error (guessing it is the one after search. When removing it, it tries to parse the query as a command. Thanks so much for the help so far, I'm not used to performing this kind of queries.</P> Wed, 26 Aug 2015 19:45:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-query-using-values-that-come-from-the-result-of/m-p/193386#M55648 HomelessMonkey 2015-08-26T19:45:55Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-query-using-values-that-come-from-the-result-of/m-p/193387#M55649 <P>If you can post sample query using which you're getting response data and request data (two separate queries), I can help you translate this correctly.</P> Wed, 26 Aug 2015 19:56:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-query-using-values-that-come-from-the-result-of/m-p/193387#M55649 somesoni2 2015-08-26T19:56:41Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-query-using-values-that-come-from-the-result-of/m-p/193388#M55650 <P>Request: [environment name] "&gt;request&lt;/" ProcessXmlStream<BR /> Response: "&gt;response&lt;/" [Error code]</P> Wed, 26 Aug 2015 22:22:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-query-using-values-that-come-from-the-result-of/m-p/193388#M55650 HomelessMonkey 2015-08-26T22:22:53Z