Monitoring Splunk

How to use a field as the "criteria search values" of another search in a Multisearch

andres91302
Communicator

Hello Fellas!

Im trying for so many days to usa the values stored in a field as  values to search for in anoter subset of a multi search without any luck, I hope I am making myself understood.

What I want to do:

1) store the IDS from the first search and saved them in a field named START
2) use all the IDS I have in the field START to run another search which requires the  field id_user

what Im doing:

| multisearch

[|search index="medi" AND bloodp="high" AND id_user=* AND facility=5
| eval START=id_user]

[|search index="medi" AND bloodp="high" AND id_user=START AND facility=6 AND trx=*
| eval treatmentchose=trx]

I cannot seem to be using the ids in facility 5 to search for the medication that was giving to the patient in facilty 6 by using the IDS that I stored in the field START, can someone please please help me?


Labels (1)
0 Karma
1 Solution

scelikok
Champion

Hi @andres91302,

Can you please test below? This will use the id_users from the first search in second search.

index="medi" bloodp="high" facility=6 trx=* 
    [ search index="medi" bloodp="high" id_user=* facility=5 
    | stats count by id_user 
    | fields id_user] 
| eval treatmentchose=trx
If this reply helps you an upvote is appreciated.

View solution in original post

0 Karma

scelikok
Champion

Hi @andres91302,

Can you please test below? This will use the id_users from the first search in second search.

index="medi" bloodp="high" facility=6 trx=* 
    [ search index="medi" bloodp="high" id_user=* facility=5 
    | stats count by id_user 
    | fields id_user] 
| eval treatmentchose=trx
If this reply helps you an upvote is appreciated.

View solution in original post

0 Karma

andres91302
Communicator

@scelikok  Thank you so much my friend.. how would you find the interset beween the two trx? is ther any funtion to find the vales that both fields share???

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!