Splunk Search

How to pass a field from subsearch to main search and perform search on another source

Sivakesava574
Explorer

How to pass a field from subsearch to main search and perform search on another source

i am trying  to use  below to search all the UUID's returned from subsearch on path1 to Path2, but the below search string is not working properly 

source ="Path2" | eval id=[search source="Path1" "HTTP/1.1\" 500" OR "HTTP/1.1\" 400" OR "HTTP/1.1\" 404" | rex "universal-request-id- (?<UUID>.*?)\s*X-df-elapsed-time-ms" | |return $UUID]

suggest me on where i am doing wrong

 

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Is UUID a field which is already extracted in the first search or do you need to extract it before searching for matching values e.g. something like this

source = "Path2" | rex "universal-request-id- (?<UUID>.*?)\s*X-df-elapsed-time-ms" | search [search source="path1" "HTTP/1.1\" 500" OR "HTTP/1.1\" 400" OR "HTTP/1.1\" 404" | rex "universal-request-id- (?<UUID>.*?)\s*X-df-elapsed-time-ms" | fields UUID | format ]

View solution in original post

0 Karma

Sivakesava574
Explorer

i explored couple more options, but still unable to get what i intended to do 

source = "Path2" [search source="path1" "HTTP/1.1\" 500" OR "HTTP/1.1\" 400" OR "HTTP/1.1\" 404" | rex "universal-request-id- (?<UUID>.*?)\s*X-df-elapsed-time-ms" | fields UUID | format ]

I see sub search is returning valid results but some how it is not being applied to main search 

search source="path1" "HTTP/1.1\" 500" OR "HTTP/1.1\" 400" OR "HTTP/1.1\" 404" | rex "universal-request-id- (?<UUID>.*?)\s*X-df-elapsed-time-ms" | fields UUID | format

Output: ( ( UUID="API-217008d9-373c-49f1-a51c-51c53f96c6c6-1628298298579" ) OR ( UUID="API-b5259d2f-5744-4745-b86c-f02877439c87-1628276133453" ) )

Please advise how to pass these values to main search 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Is UUID a field which is already extracted in the first search or do you need to extract it before searching for matching values e.g. something like this

source = "Path2" | rex "universal-request-id- (?<UUID>.*?)\s*X-df-elapsed-time-ms" | search [search source="path1" "HTTP/1.1\" 500" OR "HTTP/1.1\" 400" OR "HTTP/1.1\" 404" | rex "universal-request-id- (?<UUID>.*?)\s*X-df-elapsed-time-ms" | fields UUID | format ]
0 Karma

Sivakesava574
Explorer

This is working now. I used this option before posting the question but missed using "search" after extracting the field from main search. once i used that search it is working like a charm. Thanks very much for this

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

Could you try this https://community.splunk.com/t5/Splunk-Search/Subsearch-fields-quot-query-quot-quot-search-quot-How-...

... | eval id=[.....| rename UUID as search] 

r. Ismo

0 Karma

Sivakesava574
Explorer

Hi,  i tried the above options but it did not resolve my issue. 

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...