Splunk Search
Highlighted

How can I correlate results from two separate searches?

New Member

I have syslog formatted events that correlate together based on one value, and a search that will pull a single line of those events:

s=1js832fc event=A somedata=9sdsh
s=1js832fc event=B someotherdata=3s2jd
s=1js832fc event=C someotherotherdata=12s93d
s=1js832fc event=D someotherotherotherdata=32s8d2 mid=2jhsd9asdhjs9s2hn2u
s=28s72d event=A somedata=8sd6d
s=28s72d event=B someotherdata=27sh2d
s=28s72d event=C someotherotherdata=28s7s2
s=28s72d event=D someotherotherotherdata=2s73hd mid=2jhsd9asdhjs9s2hn2u

The search to be performed is to pull events matching 'mid' value: 2jhsd9asdhjs9s2hn2u

This search results in the following events found:

s=1js832fc event=D someotherotherotherdata=32s8d2 mid=2jhsd9asdhjs9s2hn2u
s=28s72d event=D someotherotherotherdata=2s73hd mid=2jhsd9asdhjs9s2hn2u

I would like to search for all events relating to the two 's' values found (1js832fc and 28s72d) from the initial search by 'mid' (2jhsd9asdhjs9s2hn2u).

I am finding it difficult to perform a search based on values found in a search, and sub-searches seem to be limited to the events that were found within the search, instead of searching back through the entire index? The result I would like is a search that initially searches for 'mid', and then searches back through the index for events that match the found events 's' value, and the end result would be all of the events above:

s=1js832fc event=A somedata=9sdsh
s=1js832fc event=B someotherdata=3s2jd
s=1js832fc event=C someotherotherdata=12s93d
s=1js832fc event=D someotherotherotherdata=32s8d2 mid=2jhsd9asdhjs9s2hn2u
s=28s72d event=A somedata=8sd6d
s=28s72d event=B someotherdata=27sh2d
s=28s72d event=C someotherotherdata=28s7s2
s=28s72d event=D someotherotherotherdata=2s73hd mid=2jhsd9asdhjs9s2hn2u

Is this possible?

0 Karma
Highlighted

Re: How can I correlate results from two separate searches?

SplunkTrust
SplunkTrust

Try this...

your search that gets all the above events
| eventstats values(mid) as myMid by s
| where myMid="thevalueyouwant"

The above assumes that only one value for mid will exist for any one value of s. If there might be an occasional situation where there might be two mids on a single s, then do this...

your search that gets all the above events
| eventstats values(mid) as myMid by s
| mvexpand myMid
| where myMid="thevalueyouwant"
0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.