https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-string-from-a-field-to-use-in-another-search/m-p/206979#M60309 <P>So I am new to Splunk, but cannot seem to find the answer to this likely simple search question. So I need to search for a string, then use that value in a second search. Assuming this will just be a subsearch.</P> <P>For Example: </P> <P>I can use this search to pull the piece of information I need - but it labels it as a field called <STRONG>callID</STRONG>. We have not set up callID as a field yet it seems, and I don't want to rock the boat on that just yet, so I think I just need it as a string to use in the next search. Would I look for that "callID" part using regex?</P> <PRE><CODE>index=sip-ra ani 18005551111 17775559999 ConfJoinNote | rex field=_raw "\(?&lt;callID&gt;.*)\&lt;\/callLegSessionID\&gt;" </CODE></PRE> <P>that would return this as callID:</P> <PRE><CODE>204.466.sip_reservationless_conference.102@64.214.111.111 </CODE></PRE> <P>Then my next search would have the above as a subsearch like so:</P> <PRE><CODE>index=sip-ra [subsearch to get the callID string] "audio" "digits" </CODE></PRE> <P>I just can't figure out how to get it to use that 204.466*** as part of that next search?</P> <P>thank you!</P> <P>skiller</P> Fri, 05 Aug 2016 17:05:10 GMT skiller1234 2016-08-05T17:05:10Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-string-from-a-field-to-use-in-another-search/m-p/206979#M60309 <P>So I am new to Splunk, but cannot seem to find the answer to this likely simple search question. So I need to search for a string, then use that value in a second search. Assuming this will just be a subsearch.</P> <P>For Example: </P> <P>I can use this search to pull the piece of information I need - but it labels it as a field called <STRONG>callID</STRONG>. We have not set up callID as a field yet it seems, and I don't want to rock the boat on that just yet, so I think I just need it as a string to use in the next search. Would I look for that "callID" part using regex?</P> <PRE><CODE>index=sip-ra ani 18005551111 17775559999 ConfJoinNote | rex field=_raw "\(?&lt;callID&gt;.*)\&lt;\/callLegSessionID\&gt;" </CODE></PRE> <P>that would return this as callID:</P> <PRE><CODE>204.466.sip_reservationless_conference.102@64.214.111.111 </CODE></PRE> <P>Then my next search would have the above as a subsearch like so:</P> <PRE><CODE>index=sip-ra [subsearch to get the callID string] "audio" "digits" </CODE></PRE> <P>I just can't figure out how to get it to use that 204.466*** as part of that next search?</P> <P>thank you!</P> <P>skiller</P> Fri, 05 Aug 2016 17:05:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-string-from-a-field-to-use-in-another-search/m-p/206979#M60309 skiller1234 2016-08-05T17:05:10Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-string-from-a-field-to-use-in-another-search/m-p/206980#M60310 <P>Apologies - the first search is incomplete:</P> <P>index=sip-ra ani 18005551111 17775559999 ConfJoinNotify | rex field=_raw "(?.*)&lt;\/callLegSessionID&gt;" </P> Fri, 05 Aug 2016 17:08:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-string-from-a-field-to-use-in-another-search/m-p/206980#M60310 skiller1234 2016-08-05T17:08:11Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-string-from-a-field-to-use-in-another-search/m-p/206981#M60311 <P>Try this</P> <PRE><CODE>index=sip-ra [ search index=sip-ra ani 18005551111 17775559999 ConfJoinNotify | rex field=_raw "(?&lt;callID&gt;.*)\&lt;\/callLegSessionID\&gt;" | table callID | rename callID as search] "audio" digits" </CODE></PRE> Fri, 05 Aug 2016 17:15:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-string-from-a-field-to-use-in-another-search/m-p/206981#M60311 sundareshr 2016-08-05T17:15:55Z