Security

Use field from one source to query another source

mdacutanan
New Member

I am fairly new to Splunk and have had no formal training. I am having difficult time to take a field from one source as input to search another source.

Here is my first query:


index=ivr sourcetype=ivr_history [search sourcetype=ivr_history "2062401185"| fields sidnum host]| stats values(sessID2) by host sidnum


OUTPUT of query above shows host, sidnum and sessID2. Now, I want to search another source called ivr_sef. I want to use sessID2 to search source ivr_sef. if found, return the field 'id' (which should actually be same as sessID2).

I modified my first query to this query below but the output for the id field comes out empty! I do know for a fact that the sessID value does exist in source ivr_sef (inside field id) because I have search it manually and separately beforehand. Please help!


index=ivr sourcetype=ivr_history OR ivr_sef [search sourcetype=ivr_history "2062401185"| fields sidnum host]| eval common=coalesce(sessID2, id)|stats values(sessID2) values(id) by host sidnum


Tags (1)
0 Karma

yannK
Splunk Employee
Splunk Employee

your approach is the good one :
use the result of a sub search to populate search conditions of the main search

conditionA=A [search othersearch| table conditionB]
will become an equivalent of
conditionA=A AND (conditionB=B1 OR conditionB=B2 OR ..... OR conditionB=Bx )

so you may have a field has different name in your 2 searches. (id or sidnum). You should attach a sample, and the the result of the sub search.

0 Karma

mdacutanan
New Member

hello yannk!my first query (source ivr_history), I need the output to show host, sidnum & sessID. I am able to achieve this using this query:
index=ivr sourcetype=ivr_history [search sourcetype=ivr_history "some data"| fields sidnum host sessID2]| table sidnum host sessID2| dedup sidnum host sessID2

The 2nd query has a different source:ivr_sef.
manually, i would run the query above and copy the sessID2 value and paste it into this query:
index=ivr sourcetype=ivr_sef "pasted sessID value here"| table id
What I want to achieve is combine these 2 queries and remove the manual copy paste.
Thanks

0 Karma
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...