Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to pass a field from subsearch to main search and perform search on another source

Sivakesava574
Explorer
‎08-05-2021 05:27 AM

How to pass a field from subsearch to main search and perform search on another source

i am trying  to use  below to search all the UUID's returned from subsearch on path1 to Path2, but the below search string is not working properly 

source ="Path2" | eval id=[search source="Path1" "HTTP/1.1\" 500" OR "HTTP/1.1\" 400" OR "HTTP/1.1\" 404" | rex "universal-request-id- (?<UUID>.*?)\s*X-df-elapsed-time-ms" | |return $UUID]

suggest me on where i am doing wrong

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-09-2021 03:54 AM

Is UUID a field which is already extracted in the first search or do you need to extract it before searching for matching values e.g. something like this

source = "Path2" | rex "universal-request-id- (?<UUID>.*?)\s*X-df-elapsed-time-ms" | search [search source="path1" "HTTP/1.1\" 500" OR "HTTP/1.1\" 400" OR "HTTP/1.1\" 404" | rex "universal-request-id- (?<UUID>.*?)\s*X-df-elapsed-time-ms" | fields UUID | format ]

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Sivakesava574
Explorer
‎08-09-2021 03:40 AM

i explored couple more options, but still unable to get what i intended to do 

source = "Path2" [search source="path1" "HTTP/1.1\" 500" OR "HTTP/1.1\" 400" OR "HTTP/1.1\" 404" | rex "universal-request-id- (?<UUID>.*?)\s*X-df-elapsed-time-ms" | fields UUID | format ]

I see sub search is returning valid results but some how it is not being applied to main search 

search source="path1" "HTTP/1.1\" 500" OR "HTTP/1.1\" 400" OR "HTTP/1.1\" 404" | rex "universal-request-id- (?<UUID>.*?)\s*X-df-elapsed-time-ms" | fields UUID | format

Output: ( ( UUID="API-217008d9-373c-49f1-a51c-51c53f96c6c6-1628298298579" ) OR ( UUID="API-b5259d2f-5744-4745-b86c-f02877439c87-1628276133453" ) )

Please advise how to pass these values to main search 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-09-2021 03:54 AM

Is UUID a field which is already extracted in the first search or do you need to extract it before searching for matching values e.g. something like this

source = "Path2" | rex "universal-request-id- (?<UUID>.*?)\s*X-df-elapsed-time-ms" | search [search source="path1" "HTTP/1.1\" 500" OR "HTTP/1.1\" 400" OR "HTTP/1.1\" 404" | rex "universal-request-id- (?<UUID>.*?)\s*X-df-elapsed-time-ms" | fields UUID | format ]
0 Karma
Reply
Solved! Jump to solution

Sivakesava574
Explorer
‎08-09-2021 04:22 AM

This is working now. I used this option before posting the question but missed using "search" after extracting the field from main search. once i used that search it is working like a charm. Thanks very much for this

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎08-05-2021 05:40 AM

Hi

Could you try this https://community.splunk.com/t5/Splunk-Search/Subsearch-fields-quot-query-quot-quot-search-quot-How-...

... | eval id=[.....| rename UUID as search]

r. Ismo

0 Karma
Reply
Solved! Jump to solution

Sivakesava574
Explorer
‎08-06-2021 01:07 PM

Hi,  i tried the above options but it did not resolve my issue. 

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...