Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to send the output of one sourcetype into another

nidhi6
New Member
‎09-06-2016 04:40 AM

Hi,

I am trying to run a search query wherein where in output of one query acts as inupt for the following query.
Please help me with the syntax.
Also,please let me know how can i view the second query resul in dashbaord. (Means when i click on visualization i should be redirected towards the second query dashboard.

Please help.

Thanks & Regards,
Nidhi Gupta

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎09-06-2016 08:03 AM

..I am trying to run a search query wherein where in output of one query acts as inupt for the following query
While using pipes |, by default, first query output will be passed to second query. for example, 

index=app search-for-something | table source, sourcetype, _time

..how can i view the second query result in dashboard
You can use timechart command, or chart commands, which will create the visualizations
http://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Timechart

Can you provide us more info about the requirement, so that we can suggest you exactly how to proceed?

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

nidhi6
New Member
‎09-06-2016 10:29 AM

Hello,

Basically I am querying one of the sourcetype and its field is to be matched with the second sourcetype and I want to show fields from second sourcetype after matching data from the 1st sourcetype .

In the database sense I want to use join between two sourcetype .

Thanks,
Nidhi

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎09-07-2016 02:24 AM

Hi Nidhi,

Maybe, like this.. there is a join command in Splunk as well, but that may not be needed for this one, I think.

search index=app sourcetype=abc | table host

This will search for sourcetype abc on index app, and returns the list of host names.

This search below will check on index app, for sourcetype a1b1c1, and only for the host list from first search.

index=app sourcetype=a1b1c1 [search index=app sourcetype=abc | table host] | table _raw _time

if you update us with your present search or more info on the requirement, we can suggest exactly.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-06-2016 06:04 AM

Could you be more specific? What are the two queries?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...