Re: How to pass result set from one query to main ...

madhan_dc · ‎07-10-2021

I am running a query like this

index=main source=transferstatus sourcetype=logs transaction.transferSet.FileName="*myfile*" | stats dc(transaction.Id) by transaction.Id

this gives me the unique transaction Ids that i am looking for

Now i want to pass this unique transaction Ids to a query like below

index=main  source=transferstatus sourcetype=logs transaction.action="success" transaction.Id=[ pass each unique value i got from first query to here]

transaction.action="success" will not present on the first query results..

it will be part of success events that wont have "transaction.transferSet.FileName" field in it.

how do I join these two queries?

kamlesh_vaghela · ‎07-10-2021

@madhan_dc

Have you tried something like this?

index=main source=transferstatus sourcetype=logs transaction.action="success" [search index=main source=transferstatus sourcetype=logs transaction.transferSet.FileName="*myfile*" 
| stats dc(transaction.Id) by transaction.Id | fields transaction.Id]

KV

madhan_dc · ‎07-10-2021

not sure how this question landed in this section, can someone please move it to a Splunk query section if there is one. thanks. Sorry about this.

How to pass result set from one query to main query

other

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!