Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can you help me with the following Splunk search query?

jafarmat
New Member
‎10-12-2018 05:28 AM

Hi,

So i'm having this rule...

  index=logs sourcetype=console_test_1 "[Status] Discovered" 
    | rex "<regex rule>" | table orderId

...that outputs me a column with IDs. What i want to do is something like getting these IDs and using them in another search, which results i want to append to the one above. The second result is from another source type.

So, something like this:

  index=logs sourcetype=console_test_1 "[Status] Discovered" 
    | rex "<regex rule>" | table orderId ->  sourcetype=console_test_2 <orderId> | rex "<regex rule2>" | table result2 -> join column

I've search the net but haven't figured it out yet.

Thank you

Tags (1)
0 Karma
Reply

mstjohn_splunk
Splunk Employee
Splunk Employee
‎10-12-2018 01:08 PM

hi @jafarmat,

Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-12-2018 06:15 AM

I believe you want a subsearch. Subsearch results are passed to and become part of the main search.

See if this gets you going in the right direction.

sourcetype=console_test_2 [index=logs sourcetype=console_test_1 "[Status] Discovered" 
 | rex "<regex rule>" | fields orderId | format] | rex "<regex rule2>" | table result2
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

jafarmat
New Member
‎10-14-2018 01:56 AM

The thing is that i need the results(only one column) from let s say regex rule 2 so i can use them in regex rule1.I know about subsearches but i ve never seen one done in this manner

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-14-2018 05:26 PM

You may need to be more specific about using the results of regex rule 2 in regex rule 1 as that is pretty much what this search does. It uses regex rule 1 to return a set of results that are then searched by regex rule 2.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...