How to pass result set from one query to main quer...

madhan_dc · ‎07-10-2021

I am running a query like this

index=main source=transferstatus sourcetype=logs transaction.transferSet.FileName="*myfile*" | stats dc(transaction.Id) by transaction.Id

this gives me the unique transaction Ids that i am looking for

Now i want to pass this unique transaction Ids to a query like below

index=main  source=transferstatus sourcetype=logs transaction.action="success" transaction.Id=[ pass each unique value i got from first query to here]

transaction.action="success" will not present on the first query results..

it will be part of success events that wont have "transaction.transferSet.FileName" field in it.

how do I join these two queries?

kamlesh_vaghela · ‎07-10-2021

@madhan_dc

Have you tried something like this?

index=main source=transferstatus sourcetype=logs transaction.action="success" [search index=main source=transferstatus sourcetype=logs transaction.transferSet.FileName="*myfile*" 
| stats dc(transaction.Id) by transaction.Id | fields transaction.Id]

KV

madhan_dc · ‎07-10-2021

not sure how this question landed in this section, can someone please move it to a Splunk query section if there is one. thanks. Sorry about this.

How to pass result set from one query to main query

other

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Introducing Edge Processor: Next Gen Data Transformation

Take the 2021 Splunk Career Survey for $50 in Amazon Cash