Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to send the output of one sourcetype into another

nidhi6
New Member
‎09-06-2016 04:40 AM

Hi,

I am trying to run a search query wherein where in output of one query acts as inupt for the following query.
Please help me with the syntax.
Also,please let me know how can i view the second query resul in dashbaord. (Means when i click on visualization i should be redirected towards the second query dashboard.

Please help.

Thanks & Regards,
Nidhi Gupta

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎09-06-2016 08:03 AM

..I am trying to run a search query wherein where in output of one query acts as inupt for the following query
While using pipes |, by default, first query output will be passed to second query. for example, 

index=app search-for-something | table source, sourcetype, _time

..how can i view the second query result in dashboard
You can use timechart command, or chart commands, which will create the visualizations
http://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Timechart

Can you provide us more info about the requirement, so that we can suggest you exactly how to proceed?

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

nidhi6
New Member
‎09-06-2016 10:29 AM

Hello,

Basically I am querying one of the sourcetype and its field is to be matched with the second sourcetype and I want to show fields from second sourcetype after matching data from the 1st sourcetype .

In the database sense I want to use join between two sourcetype .

Thanks,
Nidhi

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎09-07-2016 02:24 AM

Hi Nidhi,

Maybe, like this.. there is a join command in Splunk as well, but that may not be needed for this one, I think.

search index=app sourcetype=abc | table host

This will search for sourcetype abc on index app, and returns the list of host names.

This search below will check on index app, for sourcetype a1b1c1, and only for the host list from first search.

index=app sourcetype=a1b1c1 [search index=app sourcetype=abc | table host] | table _raw _time

if you update us with your present search or more info on the requirement, we can suggest exactly.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-06-2016 06:04 AM

Could you be more specific? What are the two queries?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Cultivate Your Career Growth with Fresh Splunk Training

Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...

Introducing a Smarter Way to Discover Apps on Splunkbase

We’re excited to announce the launch of a foundational enhancement to Splunkbase: App Tiering.  Because we’ve ...

How to Send Splunk Observability Alerts to Webex teams in Minutes

As a Developer Evangelist at Splunk, my team and I are constantly tinkering with technology to explore its ...
Top