Splunk Search

How to store a value in one search and give it to other search

New Member

i need to store a numerical value in Energ1 and store a string value in energy1 and use them in the last search

      index=coemission |search household_id="1"| stats sum(energy_consumed_kwh_per_day) as Energ|eval Energ1=Energ  

|append [ search index=coemission|search household_id ="1"|stats values(energy_provider) as energy|eval energy1=energy]

|append [search sourcetype="energyscore"|search energy_provider=energy|stats sum(nuclear) as nuclear,sum(lignite) as lignite,sum(hardcoal) as hardcoal,sum(natural gas) as naturalgas,sum(renewables) as renewables,sum(others) as others 

|eval nuclear1=nuclear*Energ1|eval lignite1=lignite*Energ1|eval hardcoal1=hardcoal*Energ1|eval naturalgas1=naturalgas*Energ1|eval renewables1=renewables*Energ1|eval others=others*Energ1|fields - nuclear,lignite,hardcoal,naturalgas,renewables,others]       
Tags (2)
0 Karma

Esteemed Legend

Like this:

index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="energyscore" AND energy_provider="energy"
|stats sum(nuclear) AS nuclear sum(lignite) AS lignite sum(hardcoal) AS hardcoal sum(natural gas) AS naturalgas sum(renewables) AS renewables,sum(others) AS others 
|foreach nuclear lignite hardcoal naturalgas renewables others
[ eval <<FIELD>>1 = <<FIELD>> * [search index=coemission AND household_id="1" | stats sum(energy_consumed_kwh_per_day) AS Energ | return $Energ ] | fields - <<FIELD>> ]
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!