Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to send a calculated multivalued field from a search as an input to another search

kiru2992
Path Finder
‎07-22-2020 12:34 AM

Hello Everyone!

I have a scenario to extract a particular set id's from index1 in search1 and run a search2 on index2 based on the extracted ids.

Example :

Search1:

index="index1" sourcetype="st1" field1="abc"

|rename id as ticket_id

Search2:

index="index2" source="xyz"

| sort 0 ticket_id

|.........

What's the best way to go about it? I tried using map but I've had no luck at all. Not sure if it's because I'm using it wrong or if it's not appropriate for the situation. Including both indexes at the start of the search is not feasible given the absurd size of the second index.

Can anyone please help me here?

Thank you in advance.

 

Labels (2)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-22-2020 06:22 AM

If the number of results from search 1 is fewer than 10,000 then you can use a subsearch.

index="index2" source="xyz" [ index="index1" sourcetype="st1" field1="abc"
|rename id as ticket_id | fields ticket_id | format ]
| sort 0 ticket_id
|.........
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

kiru2992
Path Finder
‎07-22-2020 08:26 PM

Thank you for your reply. May I know why this is limited to 10,000.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-23-2020 05:37 AM
It is a limit imposed by Splunk for reasons known only to them. See https://docs.splunk.com/Documentation/Splunk/8.0.5/Search/Aboutsubsearches#Output_settings_for_subse...
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...