Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use a field as the "criteria search values" of another search in a Multisearch

andres91302
Communicator
‎03-23-2021 01:28 PM

Hello Fellas!

Im trying for so many days to usa the values stored in a field as  values to search for in anoter subset of a multi search without any luck, I hope I am making myself understood.

What I want to do:

1) store the IDS from the first search and saved them in a field named START
2) use all the IDS I have in the field START to run another search which requires the  field id_user

what Im doing:

| multisearch

[|search index="medi" AND bloodp="high" AND id_user=* AND facility=5
| eval START=id_user]

[|search index="medi" AND bloodp="high" AND id_user=START AND facility=6 AND trx=*
| eval treatmentchose=trx]

I cannot seem to be using the ids in facility 5 to search for the medication that was giving to the patient in facilty 6 by using the IDS that I stored in the field START, can someone please please help me?


Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎03-23-2021 08:40 PM

Hi @andres91302,

Can you please test below? This will use the id_users from the first search in second search.

index="medi" bloodp="high" facility=6 trx=* 
    [ search index="medi" bloodp="high" id_user=* facility=5 
    | stats count by id_user 
    | fields id_user] 
| eval treatmentchose=trx
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎03-23-2021 08:40 PM

Hi @andres91302,

Can you please test below? This will use the id_users from the first search in second search.

index="medi" bloodp="high" facility=6 trx=* 
    [ search index="medi" bloodp="high" id_user=* facility=5 
    | stats count by id_user 
    | fields id_user] 
| eval treatmentchose=trx
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

andres91302
Communicator
‎03-24-2021 07:28 PM

@scelikok  Thank you so much my friend.. how would you find the interset beween the two trx? is ther any funtion to find the vales that both fields share???

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...