Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to pass result of one query to input as filed for another query?

kiran007
Explorer
‎06-07-2022 05:10 AM

I'm trying to pass the result of one query to as input field for another query. Please see the below screen shots and help me out.

query1:

index=* sourcetype="prod-ecp-aks-" "bookAppointmentRequest" "Fname" "Lname" | fields data.req.headers.xcorrelationid.

It will return the co-relation id.

 

query 2: 

index=*  sourcetype="prod-ecp-aks" "7403cb0a-885d-36ee-0857-fa7e99741bf7" "da_appointment"

It will return the appointments for that co-relation id.

 

I want to combine these two queries and pass that co-relation id.

Note:-  The co-relation id's are more than one sometime, I need appointment id's for all the co-relation id's.

 

I gone through so many links, tried join, subquery but didn't get expected result. Please help me out.

Thanks.

Labels (2)
Labels
Preview file
88 KB
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-07-2022 05:25 AM

Hi @kiran007,

your need is to filter the results of the second for the results of the first or do you want fields from bothe the searches?

if the first case, you can use a subsearch, pointing attention only to one thing: the fields to use for filtering must be the only output of the subsearch and the field name must be the same oth the main search.

In tiyr case, if you want to filter search2 with the values of data.req.headers.xcorrelationid, the first thing is to be sure that the field "data.req.headers.xcorrelationid" is present also in the second search, otherwise you have to renema it, so you could run something like this:

index=*  sourcetype="prod-ecp-aks" "7403cb0a-885d-36ee-0857-fa7e99741bf7" "da_appointment" [ search 
index=* sourcetype="prod-ecp-aks-" "bookAppointmentRequest" "Fname" "Lname" | fields data.req.headers.xcorrelationid ]
| ...

if instead you want something like a join between the results of both searches, you have to be sure that in both searches there's the same field (e.g. "data.req.headers.xcorrelationid"), then you can run something like this:

index=*  sourcetype="prod-ecp-aks" (("7403cb0a-885d-36ee-0857-fa7e99741bf7" "da_appointment") OR ("bookAppointmentRequest" "Fname" "Lname"))
| stats values(*) AS * BY data.req.headers.xcorrelationid

Ciao.

Giuseppe

 

0 Karma
Reply

kiran007
Explorer
‎06-07-2022 06:12 AM

Hi @gcusello ,

Thanks for your reply. 

I need result of first query(co-relation id) should be send as search field for the second query. No need to give that co-relation id manually to the second search. 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-07-2022 06:41 AM

Hi @kiran007,

in this case you have to use the first search as subsearch to filter the results of the second.

Remember to use the same field name in both the searches.

Remember also that a subsearch has always the limit of 50,000 results, so if you exceed this limit you have to use a different approach.

Ciao.

Giuseppe

Reply

kiran007
Explorer
‎06-07-2022 05:13 AM
 
Preview file
101 KB
0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...