Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to pass the results of the first query into a second query based on a common field

bcronrath
Path Finder
‎10-01-2014 11:16 AM

I have an initial query that returns all instances of 500 internal errors in a log file. However, these entries have an ID that maps to a different log entry that does not have a result code setting, but contains the actual error that I need to view. If it helps, this is a quick visualization of how I am looking at the individual errors:

Step 1 - "Search for 500 errors across hosts"
Step 2 - "Grab a specific ID field from one of these entries that are returned
Step 3 - "Search across hosts for that specific ID"
Step 4 - "The single entry that I grabbed the ID for now shows the separate entry that has the actual error details"

My problem is that I can't afford to go through all of these 1 by 1, what I would like is to see all of the entries that have the actual error details (in other words I want to see a list of all the entries that Step 4 gives me above).

I had thought doing something like this:

result_code=500 | join c_id []

Would accomplish this, but that just returns an empty set.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aweitzman
Motivator
‎10-01-2014 11:41 AM

It looks like a subsearch would be appropriate here:

sourcetype=hosts [search sourcetype=hosts result_code=500 | table c_id]

The subsearch goes through hosts and finds the c_id values for all of the entries with a result_code of 500. That list of c_id values is then applied to the main search as a big OR clause ( c_id=123 OR c_id=456 OR ... ), which ought to get you the results you want.

View solution in original post

Reply
Solved! Jump to solution
Solution

aweitzman
Motivator
‎10-01-2014 11:41 AM

It looks like a subsearch would be appropriate here:

sourcetype=hosts [search sourcetype=hosts result_code=500 | table c_id]

The subsearch goes through hosts and finds the c_id values for all of the entries with a result_code of 500. That list of c_id values is then applied to the main search as a big OR clause ( c_id=123 OR c_id=456 OR ... ), which ought to get you the results you want.

Reply
Solved! Jump to solution

mvaradarajam
Path Finder
‎03-04-2015 11:54 AM

Not working.....

0 Karma
Reply
Solved! Jump to solution

aweitzman
Motivator
‎03-04-2015 12:27 PM

Could you please be more specific? What is the search you are running, and which part of it is not doing what you expect?

0 Karma
Reply
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...