Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I use the output from one serch as input to another?

pgunn
Engager
‎11-11-2012 11:40 AM

I have a log file that comes from an email gateway (Ironmail). Each inbound message generates multple records within the log file. I need to be able to search for content in one of these records to obtain the common field in another record to retrive the results I need. Basically, using the output from one serch as input to another.
How can I do this in one step within Splunk?

Tags (1)
Reply

dwaddle
SplunkTrust
SplunkTrust
‎11-11-2012 03:44 PM

Or, you could be speaking of a transaction. It depends on how you're trying to frame it, and the type of data you're dealing with.

http://docs.splunk.com/Documentation/Splunk/5.0/Search/Identifyandgroupeventsintotransactions

http://blogs.splunk.com/2012/11/05/book-excerpt-finding-specific-transactions/

0 Karma
Reply

Lucas_K
Motivator
‎11-11-2012 01:13 PM

What you are looking for is a sub search.

http://docs.splunk.com/Documentation/Splunk/5.0/Tutorial/Useasubsearch

Your subsearch will obtain the fields from the ironmail log which is then used as fields that are sent to the outer search.

example. index=other_index [search index=ironmail some_search_string | fields email_address ]

Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...