Solved: Search from host 'A' (based on multiple values of ...

song_jin99 · ‎09-14-2017

Hi,

I have a question for searching.

I want to search from host 'A' (based on multiple values of a field of another search from host 'B').
In other words, I have a search result (values of field 'id') from host 'B' as below:
search query: host='B' "Test" | fields + id | table id

And I want to find results for all values of 'id' in host 'A'.

I tried sub-search, but it seems it only works for one value of a field. (I am newbie, maybe I might be wrong)
Can anyone provide any suggestion?

gcusello · ‎09-15-2017

Hi song_jin99,
at first are you sure that:

id is present in both the searches,
id doesn't have spaces,
id is always in upper o lower case especially the last condition is very relevant in subsearch use.

if yes try something like this

index=your_index host=hostA [search index=your_index host=hostB | fields id ]

Bye.
Giuseppe

View solution in original post

gcusello · ‎09-15-2017

Hi song_jin99,
at first are you sure that:

id is present in both the searches,
id doesn't have spaces,
id is always in upper o lower case especially the last condition is very relevant in subsearch use.

if yes try something like this

index=your_index host=hostA [search index=your_index host=hostB | fields id ]

Bye.
Giuseppe

gcusello · ‎09-20-2017

If this answer satisfies your question, please accept or upvote it.
Bye.
Giuseppe

song_jin99 · ‎09-21-2017

Thanks Cusello

Search from host 'A' (based on multiple values of a field of another search from host 'B')

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor