I have a query which returns 100 ids(ids are dynamic). I have to search for these 100 ids in another log and see if they exist.
Ex: Search1 returns id1,id2,id3,id4
search 2 uses the above ids ( id1,id2,id3,id4) to search in this log
How to do I create 1 single query to do this.
The objective is request goes from server A to Server B. We need to check whether server B got the request from server A by using its requestid
@Prasenjit1508,
You could do that with subsearch since the number of ids are within sub search limit(50k)
"search 2 with its search terms" [ search1 to get all required ids|field id]
Make sure you have the same field names in both search.
Here is a run anywhere example
index=_internal earliest=-5m
[| makeresults | eval sourcetype="splunkd splunkd_ui_access" | makemv sourcetype| mvexpand sourcetype| fields - _time]
| stats count by sourcetype
In the above case, the final search is
index=_internal (sourcetype="splunkd" OR sourcetype="splunkd_ui_access") _time>=1552714093.000