Multiple search values pass to another search

New Member

I have a query which returns 100 ids(ids are dynamic). I have to search for these 100 ids in another log and see if they exist.
Ex: Search1 returns id1,id2,id3,id4
search 2 uses the above ids ( id1,id2,id3,id4) to search in this log

How to do I create 1 single query to do this.

The objective is request goes from server A to Server B. We need to check whether server B got the request from server A by using its requestid

Tags (1)
0 Karma



You could do that with subsearch since the number of ids are within sub search limit(50k)

"search 2 with its search terms" [ search1 to get all required ids|field id] 

Make sure you have the same field names in both search.

Here is a run anywhere example

index=_internal   earliest=-5m
 [|  makeresults | eval sourcetype="splunkd splunkd_ui_access" | makemv sourcetype| mvexpand sourcetype| fields - _time]
 | stats count by sourcetype

In the above case, the final search is

   index=_internal (sourcetype="splunkd" OR sourcetype="splunkd_ui_access") _time>=1552714093.000
0 Karma