Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to combine multiple search

msg4sunil
Path Finder
‎03-20-2022 05:39 PM

How do combine the below 2 searches into one?

1. * orderid|stats count by id

returns something like 

2022-03-21T00:10:16,999Z ...INFO [thread_id=12349, id=VU53ZQCTTMLPG, .....
2022-03-21T00:10:16,995Z....INFO [thread_id=549, id=F2PAC6ITNX6O3,

2. Based on the above response, I need to query as below after fetching the "id".  Note, "id's would vary for different orderid and the number of "id"'s would also vary 

id IN ("VU53ZQCTTMLPG","F2PAC6ITNX6O3")

 

Thank you

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎03-20-2022 06:32 PM

@msg4sunil 

index=* [
  search index=* "985be6370637" 
  | stats count by id
  | fields id
]

It is not good practice to use index=* - admins do not like users who cast a wide search net - always be as specific as possible when making your search - particularly in this case, you are making two searches.

 

View solution in original post

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎03-20-2022 05:55 PM

There are a number of ways to do this, with subsearches, joins or aggregations, but it's not easy to give you an absolute solution.

The most obvious example from your description is the subsearch, which would be something like

Your second search [ 
  search your first search
  | stats count by id | fields id
]

which would pass the list of ids in the subsearch to the outer search which is effectively doing 

(id1 OR id=2 OR id=3..)

as part of the outer search

You can use other techniques, such as searching for all the data in a single search and then manipulating it with eval/stats to get to your desired output, but need more info on that.

join command is an option, but should rarely be the first choice, as 'join' has limitations and is not really the way to do this sort of task in Splunk world

 

0 Karma
Reply
Solved! Jump to solution

msg4sunil
Path Finder
‎03-20-2022 06:20 PM

@bowesmana , can you please give one example?  The below doesnt work.

index=* id IN [index=* "985be6370637"| fields id]

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎03-20-2022 06:32 PM

@msg4sunil 

index=* [
  search index=* "985be6370637" 
  | stats count by id
  | fields id
]

It is not good practice to use index=* - admins do not like users who cast a wide search net - always be as specific as possible when making your search - particularly in this case, you are making two searches.

 

Reply
Solved! Jump to solution

msg4sunil
Path Finder
‎03-20-2022 06:56 PM

Thank you very much @bowesmana for timely help.  Sure, will make the index name as explicit instead of using *.

Thanks again.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...