Solved: Filtering data using a second query

jacu86 · ‎11-07-2023

I have data in two different applications. I need to get fields from one query to use as filters for another, like this:

```
app=app1 | rex field=environment_url "https:\/\/(?<app_name>.*)\.foo\.com" | where app_name in [ search app=app2 | table app_name ]
```

app2 has a field named app_name which I'm turning into a table. app1 doesn't have this field, but I'm creating and extracting it with a regex.

I only want the app names from app1 if they exist in the table I'm creating from app2. This query isn't working for me, what can I do? Thank you for any help.

gcusello · ‎11-07-2023

Hi @jacu86 ,

there's only one attention point: the field used for the filtering must be the same in main and sub search:

app=app1 
| rex field=environment_url "https:\/\/(?<app_name>.*)\.foo\.com" 
| search [ search app=app2 | fields app_name ]

if not, you have to rename it.

One additional hint: use always the index= filter to have faster searches.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎11-07-2023

Hi @jacu86 ,

there's only one attention point: the field used for the filtering must be the same in main and sub search:

app=app1 
| rex field=environment_url "https:\/\/(?<app_name>.*)\.foo\.com" 
| search [ search app=app2 | fields app_name ]

if not, you have to rename it.

One additional hint: use always the index= filter to have faster searches.

Ciao.

Giuseppe

Filtering data using a second query

subsearch

table

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!