Splunk Search

Use the result from first search into second search

younes17
Explorer

I have an first search that will find the software list
search index=index1 | table software

in the second search, i need use the result of first search to find the match result with "where" command.

Tags (1)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try like this

index=index2 [search index=index1 | table fields1 | eval fields2="*".fields1."*" | table fields 2]  | table fields2

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try like this

index=index2 [search index=index1 | table fields1 | eval fields2="*".fields1."*" | table fields 2]  | table fields2
0 Karma

younes17
Explorer

i have tow fields in the each index the first one fildes1 for index1 and second fields2 for index2

index=index2 [search index=index1|fields1] | where fields2 like "%fields1%" | table fields2

0 Karma

reed_kelly
Contributor

You question is not very specific, so there are many answers depending on the context. Suppose you second search is "index=index2" and there is a field called software, then you could use a subsearch as follows:

index=index2 [search index=index1|fields software]

If the field in the second search is package instead of software, then you can do this:

index=index2 [search index=index1|rename software as package|fields package]
0 Karma

younes17
Explorer

i have tow fields in the each index the first one fildes1 for index1 and second fields2 for index2

index=index2 [search index=index1|fields1] | where fields2 like "%fields1%" | table fields2

0 Karma

reed_kelly
Contributor

I think you mistake the where command with the SQL where. They are two different things. To achieve what you are looking for with a subsearch, you can do the following:

index=index2 [search index=index1|eval fields2="*"+field1+"*"|fields field2]

Depending on what you are trying to achieve this can be made more efficient, but the "*" in search is similar to SQL '%'

0 Karma

Richfez
SplunkTrust
SplunkTrust

A subsearch...

Usually/often used like

index=index2 [search index=index1 | table software]

If your subsearch returns "Office" and "Windows" then the entire search after running it becomes index=index2 AND (software=Office OR software=Windows).

If you specifically need to use where, it should still work the same.

index=index2  ... | where search [index=index1 | table software]

But, there are comparison cases where it gets just a tiny bit trickier. If you could provide the search you are actually using, it might be easier to get a really specific answer.

younes17
Explorer

i have tow fields in the each index the first one fildes1 for index1 and second fields2 for index2

index=index2 [search index=index1|fields1] | where fields2 like "%fields1%" | table fields2

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...