Splunk Search

How to dynamically add results / correlate in a search with a sub-search

Engager

I want to dynamically add fields to my result set depending on a search I did.

How do I can add fields/new columns based on a search from a result of the main-search ?

index=test
*
| table Computer
| appendcols [ search (index=another_test) Computer=$ParentSearch$.Computer) | head 1 | table Name ]
| table Computer, Name

dynamically. I cant work with lookups for each result because I want to generate the end result each time.
Cant do that manually. I need to be to process this automatically.

Another example:

Lets say I am building a resultset with an query.
When results show up, how can I enrich my resultset with values from another index?

What I am looking is at writing SPLs which run once and during this one-shot they should correlate multiply events from multiply indexes. So result should be further processed and enriched by information from other indexes/columns.

What is the best way to do that with Splunk in one SPL ?

0 Karma
1 Solution

Path Finder

You are looking for the join command, i.e:

index=test
| table Computer
| join Computer [ search (index=another_test) | head 1 | table Name Computer]

This correlates the Computer field both on index test and another_test and join the subsearch fields (except for the matching one).

Dont forget to upvote 🙂

View solution in original post

Path Finder

You are looking for the join command, i.e:

index=test
| table Computer
| join Computer [ search (index=another_test) | head 1 | table Name Computer]

This correlates the Computer field both on index test and another_test and join the subsearch fields (except for the matching one).

Dont forget to upvote 🙂

View solution in original post

Champion

I do not understand much what I want to do

For example, what about this search statement?

(index=test OR index=another_test)
|stats latest(Name) as Name by Computer