Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I pass a value I retrieve in the first part of a query to a second part in a second source?

dlespron
Path Finder
‎01-15-2014 08:16 AM

For instance, I have a search where I want to query for a value that would set that value to orderid such as:

sourcetype="Source1" | search ErrorMessage | rex ".[1][1]=(?P\d+)\D" | search "|11=|" | fields orderid

and this query is able to take the error message and find what follows "11=" and set its to a value called orderid, but I then want to take that value I've set as orderid and have it query from a second source all as part of the same query. I have tried adding this at the end in order to search the second source:

map search="search sourcetype="Source2" $orderid$"

So my entire query looks like this, I thought this would work but doesnt seem to be properly passing the value of orderid to query from the second source:

sourcetype="Source1" | search ErrorMessage | rex ".[1][1]=(?P\d+)\D" | search "|11=|" | fields orderid | map search="search sourcetype="Source2" $orderid$"

Please help answer or offer any insight you may have, I may be doing this entirely wrong!

Tags (4)
0 Karma
Reply

Ayn
Legend
‎01-15-2014 08:43 AM

Use a subsearch - it's used precisely for these kinds of scenarios.

http://docs.splunk.com/Documentation/Splunk/6.0/SearchTutorial/Useasubsearch

Reply

dlespron
Path Finder
‎01-15-2014 09:33 AM

Ok, I am looking into this now, can you help me to better understand? Right now I have this:sourcetype="Source1" | search ErrorMessage | rex ".[1][1]=(?Pd+)D" | search "|11=|" | fields orderid

Which sets the orderid to a numerical value, what would I need to add to tell it to search "Source2" for that orderid?

0 Karma
Reply
Get Updates on the Splunk Community!

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...