Splunk Search
Highlighted

How to pass a value extracted from a main search to a sub search from different source?

New Member

Example:

source="FILE1.log" search_input | rex ".*]*Rpc id :(?[0-9][0-9][0-9][0-9][0-9][0-9])" | append [search source ="FILE2.log" rpc_id]
0 Karma
Highlighted

Re: How to pass a value extracted from a main search to a sub search from different source?

Champion

Hi @vivek991985
You can't pass a value from a main search to a sub search, it works the other way round.
That being said and from what I can understand try something like this -

source ="FILE2.log"  | eval id=[search  source="FILE1.log" search_input | rex ".*]*Rpc id :(?[0-9][0-9][0-9][0-9][0-9][0-9])" |return $rpc_id]

Basically, the eval gets executed first and whatever rex you are performing (assuming the rex works) gets assigned o the field id, you can then pipe on and do what you need with file2log source

View solution in original post

0 Karma
Highlighted

Re: How to pass a value extracted from a main search to a sub search from different source?

New Member

Thank you @Sukisen1981

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.