Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I pass a value I retrieve in the first part of a query to a second part in a second source?

dlespron
Path Finder
‎01-15-2014 08:16 AM

For instance, I have a search where I want to query for a value that would set that value to orderid such as:

sourcetype="Source1" | search ErrorMessage | rex ".[1][1]=(?P\d+)\D" | search "|11=|" | fields orderid

and this query is able to take the error message and find what follows "11=" and set its to a value called orderid, but I then want to take that value I've set as orderid and have it query from a second source all as part of the same query. I have tried adding this at the end in order to search the second source:

map search="search sourcetype="Source2" $orderid$"

So my entire query looks like this, I thought this would work but doesnt seem to be properly passing the value of orderid to query from the second source:

sourcetype="Source1" | search ErrorMessage | rex ".[1][1]=(?P\d+)\D" | search "|11=|" | fields orderid | map search="search sourcetype="Source2" $orderid$"

Please help answer or offer any insight you may have, I may be doing this entirely wrong!

Tags (4)
0 Karma
Reply

Ayn
Legend
‎01-15-2014 08:43 AM

Use a subsearch - it's used precisely for these kinds of scenarios.

http://docs.splunk.com/Documentation/Splunk/6.0/SearchTutorial/Useasubsearch

Reply

dlespron
Path Finder
‎01-15-2014 09:33 AM

Ok, I am looking into this now, can you help me to better understand? Right now I have this:sourcetype="Source1" | search ErrorMessage | rex ".[1][1]=(?Pd+)D" | search "|11=|" | fields orderid

Which sets the orderid to a numerical value, what would I need to add to tell it to search "Source2" for that orderid?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...