Splunk Search

How do I use a field gathered from one search in a completely independent search (without a join)

splunkuser2127
Loves-to-Learn

I need to do one search with value A in the logs to get value B, then search on value B in another, independent search to get other information. How do I do this in Splunk (ideally without a join)?

0 Karma

DalJeanis
Legend

Let's assume that you need the value from

 index=foo sourcetype=bar Field1 ="A"
| fields Field1 Field2

Where the result happens to be

 Field1 Field2
   A      B

in order to make this search happen

index=foo sourcetype=baz Field3="B"
| fields field3 Field4

and get the results

Field3  Field4
  B       C

There are at least two ways to link those searches.

The first is with a subsearch to find the first results, then feed that to the second search. This is what @richgalloway showed you above.

index=foo sourcetype=baz
   [ search index=foo sourcetype=bar Field1 ="A" | table Field2 | rename Field2 as Field3 ]
| fields field3 Field4

The subsearch in square braces will return its result into the first search as ( Field3="B" ). To see exactly what the first search returns, run that search standalone (without the word search) and add on the end | format. the result text will be in a single variable called search.

That's fairly efficient if you are only running a single result, or if there are very few records at any given time to contend with.

However, if you wanted to match up large number of records, then you probably want to go with the "splunk soup" method.

 index=foo ( sourcetype=bar Field1 ="*") OR (sourcetype=baz Field3="*")
| fields sourcetype Field1 Field2 Field3 Field4
| eval matchField= if(sourcetype="bar",Field2,Field3)
| stats values(Field1) as Field1 values(Field4) as Field4 by matchField

This will give you all the various matched up records, including one which looks like

matchField Field1 Field4
  B          A      C
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Depending on the details you didn't provide, you may be able to use a subsearch. Subsearches execute first and the results become part of the main search. The catch is a subsearch is limited to returning 10,000 events. It looks something like this

index=indexB [ search index=indexA | fields fieldB | format ]
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...