How to pass a field from subsearch to main search and perform search on another source
i am trying to use below to search all the UUID's returned from subsearch on path1 to Path2, but the below search string is not working properly
source ="Path2" | eval id=[search source="Path1" "HTTP/1.1\" 500" OR "HTTP/1.1\" 400" OR "HTTP/1.1\" 404" | rex "universal-request-id- (?<UUID>.*?)\s*X-df-elapsed-time-ms" | |return $UUID]
suggest me on where i am doing wrong
Is UUID a field which is already extracted in the first search or do you need to extract it before searching for matching values e.g. something like this
source = "Path2" | rex "universal-request-id- (?<UUID>.*?)\s*X-df-elapsed-time-ms" | search [search source="path1" "HTTP/1.1\" 500" OR "HTTP/1.1\" 400" OR "HTTP/1.1\" 404" | rex "universal-request-id- (?<UUID>.*?)\s*X-df-elapsed-time-ms" | fields UUID | format ]
i explored couple more options, but still unable to get what i intended to do
source = "Path2" [search source="path1" "HTTP/1.1\" 500" OR "HTTP/1.1\" 400" OR "HTTP/1.1\" 404" | rex "universal-request-id- (?<UUID>.*?)\s*X-df-elapsed-time-ms" | fields UUID | format ]
I see sub search is returning valid results but some how it is not being applied to main search
search source="path1" "HTTP/1.1\" 500" OR "HTTP/1.1\" 400" OR "HTTP/1.1\" 404" | rex "universal-request-id- (?<UUID>.*?)\s*X-df-elapsed-time-ms" | fields UUID | format
Output: ( ( UUID="API-217008d9-373c-49f1-a51c-51c53f96c6c6-1628298298579" ) OR ( UUID="API-b5259d2f-5744-4745-b86c-f02877439c87-1628276133453" ) )
Please advise how to pass these values to main search
Is UUID a field which is already extracted in the first search or do you need to extract it before searching for matching values e.g. something like this
source = "Path2" | rex "universal-request-id- (?<UUID>.*?)\s*X-df-elapsed-time-ms" | search [search source="path1" "HTTP/1.1\" 500" OR "HTTP/1.1\" 400" OR "HTTP/1.1\" 404" | rex "universal-request-id- (?<UUID>.*?)\s*X-df-elapsed-time-ms" | fields UUID | format ]
This is working now. I used this option before posting the question but missed using "search" after extracting the field from main search. once i used that search it is working like a charm. Thanks very much for this
Hi
Could you try this https://community.splunk.com/t5/Splunk-Search/Subsearch-fields-quot-query-quot-quot-search-quot-How-...
... | eval id=[.....| rename UUID as search]
r. Ismo
Hi, i tried the above options but it did not resolve my issue.