Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use a field as the "criteria search values" of another search in a Multisearch

andres91302
Communicator
‎03-23-2021 01:28 PM

Hello Fellas!

Im trying for so many days to usa the values stored in a field as  values to search for in anoter subset of a multi search without any luck, I hope I am making myself understood.

What I want to do:

1) store the IDS from the first search and saved them in a field named START
2) use all the IDS I have in the field START to run another search which requires the  field id_user

what Im doing:

| multisearch

[|search index="medi" AND bloodp="high" AND id_user=* AND facility=5
| eval START=id_user]

[|search index="medi" AND bloodp="high" AND id_user=START AND facility=6 AND trx=*
| eval treatmentchose=trx]

I cannot seem to be using the ids in facility 5 to search for the medication that was giving to the patient in facilty 6 by using the IDS that I stored in the field START, can someone please please help me?


Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎03-23-2021 08:40 PM

Hi @andres91302,

Can you please test below? This will use the id_users from the first search in second search.

index="medi" bloodp="high" facility=6 trx=* 
    [ search index="medi" bloodp="high" id_user=* facility=5 
    | stats count by id_user 
    | fields id_user] 
| eval treatmentchose=trx
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎03-23-2021 08:40 PM

Hi @andres91302,

Can you please test below? This will use the id_users from the first search in second search.

index="medi" bloodp="high" facility=6 trx=* 
    [ search index="medi" bloodp="high" id_user=* facility=5 
    | stats count by id_user 
    | fields id_user] 
| eval treatmentchose=trx
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

andres91302
Communicator
‎03-24-2021 07:28 PM

@scelikok  Thank you so much my friend.. how would you find the interset beween the two trx? is ther any funtion to find the vales that both fields share???

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...