Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to pass list of values from the first search into the second search ?

raylex_splunk_d
Explorer
‎05-06-2016 08:10 AM

Here is what I do to get required search results using two separate searches:

SEARCH#1

I use the following query 

index=hardware_inventory vendor=hp AND  env=prod |dedup ServerName|table ServerName

In order to generate statistical table containing single column list of names of the servers:

servername1
servername2
servername3

SEARCH#2

I use the following query to generate search results using the names I obtained earlier in SEARCH#1 

index=software_inventory servername1 OR servername2 OR servername3

It is an easy task if you have 3 servers, but it is not if you have 500

QUESTION:

How do I combine these two searches into one so I don't have to put server names manually into second search?

Thank you so much for your help!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎05-06-2016 07:00 PM

Assuming the software inventory index contains field extractions for the server names and the field is called servername...

 index=software_inventory [search  index=hardware_inventory vendor=hp AND  env=prod |dedup ServerName|table ServerName] | search servername=ServerName

Or maybe it's just as easy as this:

index=software_inventory [search  index=hardware_inventory vendor=hp AND  env=prod |dedup ServerName|table ServerName]

I'm not very awesome at subsearches...

View solution in original post

Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎05-06-2016 07:00 PM

Assuming the software inventory index contains field extractions for the server names and the field is called servername...

 index=software_inventory [search  index=hardware_inventory vendor=hp AND  env=prod |dedup ServerName|table ServerName] | search servername=ServerName

Or maybe it's just as easy as this:

index=software_inventory [search  index=hardware_inventory vendor=hp AND  env=prod |dedup ServerName|table ServerName]

I'm not very awesome at subsearches...

Reply
Solved! Jump to solution

raylex_splunk_d
Explorer
‎05-09-2016 07:02 AM

ServerName field does not exist in software_inventory index.

However, values (servername1, servername2, servername3..) do exist in software_inventory index.

Basically what I am doing is extracting list of server names from hardware_inventory index and then use this list of names to extract all data, associated with these names from software_inventory index.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎05-09-2016 08:33 AM

That's why i mentioned the assumption, and it certainly changes the answer 😉

 index=software_inventory [ search index=hardware_inventory vendor=hp env=prod | dedup ServerName | table ServerName | rename ServerName as search ]

Or use return command instead of rename:

 index=software_inventory [ search index=hardware_inventory vendor=hp env=prod | dedup ServerName | table ServerName | return $ServerName ]
0 Karma
Reply
Solved! Jump to solution

raylex_splunk_d
Explorer
‎05-09-2016 10:56 AM

Thanks so much for trying to help me !!!
I did try both of the queries but still getting incorrect results : it shows only the very first name (value) from the generated list from hardware_inventory. Somehow it is only passing one, not multiple values to the software_inventory.

Somehow I need to pass OR after each value name in order to get the right results

0 Karma
Reply
Solved! Jump to solution

raylex_splunk_d
Explorer
‎05-09-2016 11:14 AM

If I can make query :

index=software_inventory [ search index=hardware_inventory vendor=hp env=prod | dedup ServerName | table ServerName | rename ServerName as search ]

to return events for more than one value I think that would do it !

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎05-09-2016 11:26 AM

index=software_inventory [ search index=hardware_inventory vendor=hp env=prod | dedup ServerName | table ServerName | return 500000 $ServerName]

0 Karma
Reply
Solved! Jump to solution

raylex_splunk_d
Explorer
‎05-10-2016 06:45 AM

Thanks so much for your great help!!!

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎05-10-2016 06:58 AM

Problem solved? If so can you mark as answer?

0 Karma
Reply
Solved! Jump to solution

raylex_splunk_d
Explorer
‎05-11-2016 03:54 AM

Yes ! Thank you so much!
I did mark the answer!

0 Karma
Reply
Solved! Jump to solution

Anantha123
Communicator
‎10-30-2018 08:34 PM

Hii, Which query helped you ??

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎05-09-2016 11:31 AM

index=software_inventory [ search index=hardware_inventory vendor=hp env=prod ServerName=* | dedup ServerName | fields ServerName | format]

0 Karma
Reply
Solved! Jump to solution

raylex_splunk_d
Explorer
‎05-09-2016 06:16 AM

Thanks so much for your response!

I tried both methods but it doesn't work the same way as it does when manually putting "ServerName" values into the search.

Field ServerName does exist. In my example "servername1..2" in lower case is actual value of the ServerName filed.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎05-09-2016 06:22 AM

Does the ServerName field exist in the software_inventory index?

0 Karma
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎05-06-2016 07:21 PM

Converted to an Answer, because it is one. 🙂

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...