Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to pass a field from subsearch to main search and perform search on another source

Sivakesava574
Explorer
‎08-05-2021 05:27 AM

How to pass a field from subsearch to main search and perform search on another source

i am trying  to use  below to search all the UUID's returned from subsearch on path1 to Path2, but the below search string is not working properly 

source ="Path2" | eval id=[search source="Path1" "HTTP/1.1\" 500" OR "HTTP/1.1\" 400" OR "HTTP/1.1\" 404" | rex "universal-request-id- (?<UUID>.*?)\s*X-df-elapsed-time-ms" | |return $UUID]

suggest me on where i am doing wrong

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-09-2021 03:54 AM

Is UUID a field which is already extracted in the first search or do you need to extract it before searching for matching values e.g. something like this

source = "Path2" | rex "universal-request-id- (?<UUID>.*?)\s*X-df-elapsed-time-ms" | search [search source="path1" "HTTP/1.1\" 500" OR "HTTP/1.1\" 400" OR "HTTP/1.1\" 404" | rex "universal-request-id- (?<UUID>.*?)\s*X-df-elapsed-time-ms" | fields UUID | format ]

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Sivakesava574
Explorer
‎08-09-2021 03:40 AM

i explored couple more options, but still unable to get what i intended to do 

source = "Path2" [search source="path1" "HTTP/1.1\" 500" OR "HTTP/1.1\" 400" OR "HTTP/1.1\" 404" | rex "universal-request-id- (?<UUID>.*?)\s*X-df-elapsed-time-ms" | fields UUID | format ]

I see sub search is returning valid results but some how it is not being applied to main search 

search source="path1" "HTTP/1.1\" 500" OR "HTTP/1.1\" 400" OR "HTTP/1.1\" 404" | rex "universal-request-id- (?<UUID>.*?)\s*X-df-elapsed-time-ms" | fields UUID | format

Output: ( ( UUID="API-217008d9-373c-49f1-a51c-51c53f96c6c6-1628298298579" ) OR ( UUID="API-b5259d2f-5744-4745-b86c-f02877439c87-1628276133453" ) )

Please advise how to pass these values to main search 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-09-2021 03:54 AM

Is UUID a field which is already extracted in the first search or do you need to extract it before searching for matching values e.g. something like this

source = "Path2" | rex "universal-request-id- (?<UUID>.*?)\s*X-df-elapsed-time-ms" | search [search source="path1" "HTTP/1.1\" 500" OR "HTTP/1.1\" 400" OR "HTTP/1.1\" 404" | rex "universal-request-id- (?<UUID>.*?)\s*X-df-elapsed-time-ms" | fields UUID | format ]
0 Karma
Reply
Solved! Jump to solution

Sivakesava574
Explorer
‎08-09-2021 04:22 AM

This is working now. I used this option before posting the question but missed using "search" after extracting the field from main search. once i used that search it is working like a charm. Thanks very much for this

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎08-05-2021 05:40 AM

Hi

Could you try this https://community.splunk.com/t5/Splunk-Search/Subsearch-fields-quot-query-quot-quot-search-quot-How-...

... | eval id=[.....| rename UUID as search]

r. Ismo

0 Karma
Reply
Solved! Jump to solution

Sivakesava574
Explorer
‎08-06-2021 01:07 PM

Hi,  i tried the above options but it did not resolve my issue. 

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...