Splunk Search

How do I set the result of one search to be used in another search string?

New Member

In this search: (for example)

index="_internal" source="*metrics.log" group="per_host_thruput" series = ( result of another search indicating a specific index ) | chart sum(kb) by series | sort - sum(kb)

So that it will just display all the hosts that are related to a specific index.

Tags (3)
0 Karma


You can simply use a subsearch in "[ ]" Like this:

index=internal source=*metrics.log group="perhost_thruput" [search something that will result in series=something] | chat sum(kb) by series | sort -sum(kb)

Hope this can help you!