Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use a field as the "criteria search values" of another search in a Multisearch

andres91302
Communicator
‎03-23-2021 01:28 PM

Hello Fellas!

Im trying for so many days to usa the values stored in a field as  values to search for in anoter subset of a multi search without any luck, I hope I am making myself understood.

What I want to do:

1) store the IDS from the first search and saved them in a field named START
2) use all the IDS I have in the field START to run another search which requires the  field id_user

what Im doing:

| multisearch

[|search index="medi" AND bloodp="high" AND id_user=* AND facility=5
| eval START=id_user]

[|search index="medi" AND bloodp="high" AND id_user=START AND facility=6 AND trx=*
| eval treatmentchose=trx]

I cannot seem to be using the ids in facility 5 to search for the medication that was giving to the patient in facilty 6 by using the IDS that I stored in the field START, can someone please please help me?


Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎03-23-2021 08:40 PM

Hi @andres91302,

Can you please test below? This will use the id_users from the first search in second search.

index="medi" bloodp="high" facility=6 trx=* 
    [ search index="medi" bloodp="high" id_user=* facility=5 
    | stats count by id_user 
    | fields id_user] 
| eval treatmentchose=trx
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎03-23-2021 08:40 PM

Hi @andres91302,

Can you please test below? This will use the id_users from the first search in second search.

index="medi" bloodp="high" facility=6 trx=* 
    [ search index="medi" bloodp="high" id_user=* facility=5 
    | stats count by id_user 
    | fields id_user] 
| eval treatmentchose=trx
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

andres91302
Communicator
‎03-24-2021 07:28 PM

@scelikok  Thank you so much my friend.. how would you find the interset beween the two trx? is ther any funtion to find the vales that both fields share???

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...