Is it possible to create a new search based off of results of previous search. My example below I use regex to extract a new column with all my users names that are extracted from User.
index="source1" source="event-source" rex field=_raw "(:?string1=\")(?<User>.*)(:?user account\")"
My goal would be to then create a new search of each user in another source
[Pesudo EXample] index-source1 source-user-source | search User | Select Id, name, phone, etc.
It looks something like this ...
index-source1 source="user-source"
[ search index="source1" source="event-source"
| rex field=_raw "(:?string1=\")(?<User>.*)(:?user account\")"
| table User
]
| table Id, name, phone, etc.
To see why this works, you should look at the format
command. It takes all the events from the search and puts them into a field called search
in this format
( ( User="firstUserValue" ) OR ( User="secondUserValue" ) OR ... )
To see what that looks like, run this...
index="source1" source="event-source"
| rex field=_raw "(:?string1=\")(?<User>.*)(:?user account\")"
| table User
| format
...and then just remember that anything in square brackets is run first and returned that way. If at the end of the square brackets there is only a field named search, then it is returned as-is. If not, then the format command is implicitly run to convert the records to a single return field named search
.
(There are also a couple of other possibilities, like using the return
verb, but those are what matter for your question here.)
It looks something like this ...
index-source1 source="user-source"
[ search index="source1" source="event-source"
| rex field=_raw "(:?string1=\")(?<User>.*)(:?user account\")"
| table User
]
| table Id, name, phone, etc.
To see why this works, you should look at the format
command. It takes all the events from the search and puts them into a field called search
in this format
( ( User="firstUserValue" ) OR ( User="secondUserValue" ) OR ... )
To see what that looks like, run this...
index="source1" source="event-source"
| rex field=_raw "(:?string1=\")(?<User>.*)(:?user account\")"
| table User
| format
...and then just remember that anything in square brackets is run first and returned that way. If at the end of the square brackets there is only a field named search, then it is returned as-is. If not, then the format command is implicitly run to convert the records to a single return field named search
.
(There are also a couple of other possibilities, like using the return
verb, but those are what matter for your question here.)
Thanks for such a detailed response. I really appreciate the explanation.
What he said.
Yes, this is very common. You do it with a subsearch
:
http://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Aboutsubsearches