topic Re: How to pass list of values from the first search into the second search ? in Splunk Search

How to pass list of values from the first search into the second search ?

raylex_splunk_d — Fri, 06 May 2016 15:10:12 GMT

Here is what I do to get required search results using two separate searches:

SEARCH#1

I use the following query

index=hardware_inventory vendor=hp AND  env=prod |dedup ServerName|table ServerName

In order to generate statistical table containing single column list of names of the servers:

servername1
servername2
servername3

SEARCH#2

I use the following query to generate search results using the names I obtained earlier in SEARCH#1

index=software_inventory servername1 OR servername2 OR servername3

It is an easy task if you have 3 servers, but it is not if you have 500

QUESTION:

How do I combine these two searches into one so I don't have to put server names manually into second search?

Thank you so much for your help!

Re: How to pass list of values from the first search into the second search ?

jkat54 — Sat, 07 May 2016 02:00:40 GMT

Assuming the software inventory index contains field extractions for the server names and the field is called servername...

 index=software_inventory [search  index=hardware_inventory vendor=hp AND  env=prod |dedup ServerName|table ServerName] | search servername=ServerName

Or maybe it's just as easy as this:

index=software_inventory [search  index=hardware_inventory vendor=hp AND  env=prod |dedup ServerName|table ServerName]

I'm not very awesome at subsearches...

Re: How to pass list of values from the first search into the second search ?

Richfez — Sat, 07 May 2016 02:21:12 GMT

Converted to an Answer, because it is one. 🙂

Re: How to pass list of values from the first search into the second search ?

raylex_splunk_d — Mon, 09 May 2016 13:16:37 GMT

Thanks so much for your response!

I tried both methods but it doesn't work the same way as it does when manually putting "ServerName" values into the search.

Field ServerName does exist. In my example "servername1..2" in lower case is actual value of the ServerName filed.

Re: How to pass list of values from the first search into the second search ?

jkat54 — Mon, 09 May 2016 13:22:19 GMT

Does the ServerName field exist in the software_inventory index?

Re: How to pass list of values from the first search into the second search ?

raylex_splunk_d — Mon, 09 May 2016 14:02:46 GMT

ServerName field does not exist in software_inventory index.

However, values (servername1, servername2, servername3..) do exist in software_inventory index.

Basically what I am doing is extracting list of server names from hardware_inventory index and then use this list of names to extract all data, associated with these names from software_inventory index.

Re: How to pass list of values from the first search into the second search ?

jkat54 — Mon, 09 May 2016 15:33:21 GMT

That's why i mentioned the assumption, and it certainly changes the answer 😉

 index=software_inventory [ search index=hardware_inventory vendor=hp env=prod | dedup ServerName | table ServerName | rename ServerName as search ]

Or use return command instead of rename:

 index=software_inventory [ search index=hardware_inventory vendor=hp env=prod | dedup ServerName | table ServerName | return $ServerName ]

Re: How to pass list of values from the first search into the second search ?

raylex_splunk_d — Tue, 29 Sep 2020 09:37:56 GMT

Thanks so much for trying to help me !!!
I did try both of the queries but still getting incorrect results : it shows only the very first name (value) from the generated list from hardware_inventory. Somehow it is only passing one, not multiple values to the software_inventory.

Somehow I need to pass OR after each value name in order to get the right results

Re: How to pass list of values from the first search into the second search ?

raylex_splunk_d — Tue, 29 Sep 2020 09:39:56 GMT

If I can make query :

index=software_inventory [ search index=hardware_inventory vendor=hp env=prod | dedup ServerName | table ServerName | rename ServerName as search ]

to return events for more than one value I think that would do it !

Re: How to pass list of values from the first search into the second search ?

jkat54 — Mon, 09 May 2016 18:26:55 GMT

index=software_inventory [ search index=hardware_inventory vendor=hp env=prod | dedup ServerName | table ServerName | return 500000 $ServerName]

Re: How to pass list of values from the first search into the second search ?

jkat54 — Mon, 09 May 2016 18:31:08 GMT

index=software_inventory [ search index=hardware_inventory vendor=hp env=prod ServerName=* | dedup ServerName | fields ServerName | format]

Re: How to pass list of values from the first search into the second search ?

raylex_splunk_d — Tue, 10 May 2016 13:45:24 GMT

Thanks so much for your great help!!!

Re: How to pass list of values from the first search into the second search ?

jkat54 — Tue, 10 May 2016 13:58:06 GMT

Problem solved? If so can you mark as answer?

Re: How to pass list of values from the first search into the second search ?

raylex_splunk_d — Wed, 11 May 2016 10:54:03 GMT

Yes ! Thank you so much!
I did mark the answer!

Re: How to pass list of values from the first search into the second search ?

Anantha123 — Wed, 31 Oct 2018 03:34:49 GMT

Hii, Which query helped you ??