using search results as variable in another search

darkins

so i have search a which creates a variable from the search results (variableA)

i need to search another index using variableA in the source and want to append one column from the second search into a table with results from the first

like this:

index=blah source=blah | rex variableA=blah, field1=blah,field2=blah,field3=blah, 

index=blah source=$variableA$ | rex field4=blah

table field1, field2, field3,field4

not sure how this gets done?

isoutamo

Hi

normally Splunk’s way of working is different than what you have in procedural languages. It helps us to help you if we can see your real use case and sample events.

If you really need this kind of functionality then you could look command map to achieve this. Anyway it has some restrictions which could make some additional challenges to you.

r. Ismo

darkins

well it seems map command does work in my environment

there is no relation between the two queries, to be more specific i have a full query that returns everything i need in named columns. i then want to use one of the fields from this query in the search paramaters for a second query and return the result as an additional column:

Query 1

index=indexA source=/dir1/dir2/*/*/file.txt  |rex field=source "\/dir1\/dir2\/(?<variableA>.+?(?=\/))\/(?<variableB>.+?(?=\/)).*" |table variableA, variableB

this will give me 1000 events

Query 2

index=indexA source=/dir1/dir2/$variableA$/$variableB$/file2.txt  |rex field=_raw "(?<variableC>.+?(?=\/))*"

this will give me one event

i then want my table to be variableA, variableB, variableC where variableC is the same for each of the 1000 events returned from Query 1

bowesmana

It seems you do actually have correlation, which is the 3rd and 4th path elements of the source, so you can merge the event data on variableA and variableB using eventstats like this

``` Having extracted variableC from _raw this just clears variableC 
    from all events that are not the primary match, i.e. file.txt ```
| eval variableC=if(match(source, "\/file2.txt$"), variableC, null())
``` Need to get rid of the second data set events ```
| eval keep=if(isnull(variableC), 1, 0)

``` Now collect all values (1) of variableC by the matching path elements ```
| eventstats values(variableC) as variableC by variableA, variableB

``` Now just hang on to first dataset ```
| where keep=1

Here's a simulated working example

| makeresults count=10
``` Create two types of path d0 and d1 /d3 ```
| eval source="/dir1/dir2/d".(random() % 2)."/d3/file.txt"
``` So we get an incorrect variableC extraction we don't want ```
| eval _raw="main_event_has_raw_match/"

``` Now add in a match for the two types above ```
| append [
  | makeresults count=2
  | streamstats c
  | eval source="/dir1/dir2/d".(if(c=1, "0", "1"))."/d3/file2.txt"
  | eval _raw="bla".c."/"
  | fields - c
]
| rex field=source "\/dir1\/dir2\/(?<variableA>.+?(?=\/))\/(?<variableB>.+?(?=\/))\/.*" 
| rex field=_raw "(?<variableC>.+?(?=\/))*"
| eval variableC=if(match(source, "\/file2.txt$"), variableC, null())
| eval keep=if(isnull(variableC), 1, 0)
| eventstats values(variableC) as variableC by variableA, variableB
| where keep=1
| table variable*
| sort variableA

PickleRick

Using map for this would be extremely ineffective

bowesmana

What is the correlation to join the two datasets together, i.e. in the second index where you want field4, how does it know which event in the second data correlates with which event in the first index.

Generally the solution is to search both datasets and then combine the two with some common correlation element using stats.

Can you be a bit more specific and give a more detailed example.

using search results as variable in another search

Other

Changes to Splunk Instructor-Led Training Completion Criteria

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

Preparing your Splunk Environment for OpenSSL3