Archive
Highlighted

Pass arguments between two searches, different sources

Path Finder

I am trying to perform a "for loop" splunk style, with two sources: source1 , source2. The searches right now looks like this:

1. source="source1" param1=value1 param2=value2 | stats values(token). I need the token for the next :

2. source="source2" param4="*" token

I tried ( but returns error: "Error in 'map': Did not find value for required attribute 'token":

source="source1" param1=value1 param2=value2 | stats values(token) | 
map maxsearches=10 search="search source="source2" param4="*"  token=$token$ | 
stats values(param4) by token "

Where am I wrong, and is there a way to optimize this ?
I tried source1 OR source2, but then I need multiple OR ( AND ( OR))) clauses to match multiple needed parameters.

Thanks in advance,

0 Karma
Highlighted

Re: Pass arguments between two searches, different sources

SplunkTrust
SplunkTrust

You're basically trying to use results from one search to filter the next? No problem with subsearches:

source="source2" param4="*" [search source="source1" param1=value1 param2=value2 | fields token | dedup token]

Open the job inspector to see the expression being returned by the subsearch, it'll be a huge ((OR))-behemoth.

Highlighted

Re: Pass arguments between two searches, different sources

Path Finder

True, but your way doesn't seem to be working.

The way I tried to do it , search 1 would return a list or single token like so:

token1
tok
en2

What search 2 does is, foreach tok_en* get logged error message. It seems I need more time

0 Karma
Highlighted

Re: Pass arguments between two searches, different sources

SplunkTrust
SplunkTrust

Do both sources have an extracted field token?

0 Karma
Highlighted

Re: Pass arguments between two searches, different sources

Path Finder

Sorry for the delay.
Yes, both searches have "token" extracted.
I can manually perform search1- copy/paste "token" in search2, but I'd like to automate.

0 Karma
Highlighted

Re: Pass arguments between two searches, different sources

SplunkTrust
SplunkTrust

That's exactly what the search-subsearch combo in my answer does.

0 Karma
Highlighted

Re: Pass arguments between two searches, different sources

Path Finder

The " [ inner search ] " returns the token alright , however it seems that the outer one doesn't understand the token provided ... I accepted your answer, as it seems the problem is related to my splunk instance 🙂

0 Karma
Highlighted

Re: Pass arguments between two searches, different sources

SplunkTrust
SplunkTrust

Do post the exact search you're running and the debug info shown at the top of the job inspector.

0 Karma
Highlighted

Re: Pass arguments between two searches, different sources

Path Finder

The working solution looks like this (note, results may vary, depending on what fields you have extracted) :

index=common_index  source=source2 param5 param4="*"  
[ 
  search index=common_index source=source1 param1=value1 param2=value2  
|stats values(token) as omg 
|rename omg as query 
] 
| stats values(param4) by token

This thing returns results like so :

param4_value1  token1
param4_value2  token2
param4_value2  token3

etc. 

martin_mueller, thanks one more time for helping 🙂

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.