Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I correlate results from two separate searches?

jmillpps
New Member
‎10-04-2017 11:35 AM

I have syslog formatted events that correlate together based on one value, and a search that will pull a single line of those events:

s=1js832fc event=A somedata=9sdsh
s=1js832fc event=B someotherdata=3s2jd
s=1js832fc event=C someotherotherdata=12s93d
s=1js832fc event=D someotherotherotherdata=32s8d2 mid=2jhsd9asdhjs9s2hn2u
s=28s72d event=A somedata=8sd6d
s=28s72d event=B someotherdata=27sh2d
s=28s72d event=C someotherotherdata=28s7s2
s=28s72d event=D someotherotherotherdata=2s73hd mid=2jhsd9asdhjs9s2hn2u

The search to be performed is to pull events matching 'mid' value: 2jhsd9asdhjs9s2hn2u

This search results in the following events found:

s=1js832fc event=D someotherotherotherdata=32s8d2 mid=2jhsd9asdhjs9s2hn2u
s=28s72d event=D someotherotherotherdata=2s73hd mid=2jhsd9asdhjs9s2hn2u

I would like to search for all events relating to the two 's' values found (1js832fc and 28s72d) from the initial search by 'mid' (2jhsd9asdhjs9s2hn2u).

I am finding it difficult to perform a search based on values found in a search, and sub-searches seem to be limited to the events that were found within the search, instead of searching back through the entire index? The result I would like is a search that initially searches for 'mid', and then searches back through the index for events that match the found events 's' value, and the end result would be all of the events above:

s=1js832fc event=A somedata=9sdsh
s=1js832fc event=B someotherdata=3s2jd
s=1js832fc event=C someotherotherdata=12s93d
s=1js832fc event=D someotherotherotherdata=32s8d2 mid=2jhsd9asdhjs9s2hn2u
s=28s72d event=A somedata=8sd6d
s=28s72d event=B someotherdata=27sh2d
s=28s72d event=C someotherotherdata=28s7s2
s=28s72d event=D someotherotherotherdata=2s73hd mid=2jhsd9asdhjs9s2hn2u

Is this possible?

0 Karma
Reply

DalJeanis
Legend
‎10-04-2017 12:50 PM

Try this... 

your search that gets all the above events
| eventstats values(mid) as myMid by s
| where myMid="thevalueyouwant"

The above assumes that only one value for mid will exist for any one value of s. If there might be an occasional situation where there might be two mids on a single s, then do this...

your search that gets all the above events
| eventstats values(mid) as myMid by s
| mvexpand myMid
| where myMid="thevalueyouwant"
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...