Splunk Search

How to use files got as results from one query as source in another query?

anooshac
Communicator

Hi all,

I have 2 queries, from one i get a list of files and the other query should use these files as their source to get some results. The output of first queries may have a lot files and i want to use all of them together in the second query. Does anyone have idea of how to do this one?

Labels (3)
Tags (3)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @anooshac,

please see my approach and adapt it to your use Case:

index=abc [ | search 
     index=abc source=.......
     | rex field=source "/A/B/C/(?<project_name>[^/]*)/(?<project_name_file>[^/]*)" 
     | stats latest(project_name_file) AS source BY project_name
     | fields source
     ]
| dedup name
| chart count(name) as count by "Number"

in few words, using the first search to filter the second search results, you have to put the first search in a subsearch, then be sure that the key field has the same name in both main and subsearch: for this reason I renamed latest(project_name_file) AS source.

Beware if the project_name_file has or not the full path that you should have in the source field of the main search.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @anooshac,

you could try something like this:

your_search_1 [ search your_search_2 | fields source ]
| ...

If you could share both your searches I could be more detailed.

Ciao.

Giuseppe

0 Karma

anooshac
Communicator

hi, this is the first query i m using to get the files. I want the recent file uploaded of the project. This will give the recent file name with the project name. I don't know if this is the right method to get recent file.

index=abc source=.......|rex field=source "/A/B/C/(?<project_name>[^/]*)/(?<project_name_file>[^/]*)" |stats latest(project_name_file) by project_name

The result will be having many files. I want to use all these files in another query.

index=abc source="All the files from previous query"|dedup name| chart count(name) as count by "Number"

I am not sure how to use all the files as source.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @anooshac,

please see my approach and adapt it to your use Case:

index=abc [ | search 
     index=abc source=.......
     | rex field=source "/A/B/C/(?<project_name>[^/]*)/(?<project_name_file>[^/]*)" 
     | stats latest(project_name_file) AS source BY project_name
     | fields source
     ]
| dedup name
| chart count(name) as count by "Number"

in few words, using the first search to filter the second search results, you have to put the first search in a subsearch, then be sure that the key field has the same name in both main and subsearch: for this reason I renamed latest(project_name_file) AS source.

Beware if the project_name_file has or not the full path that you should have in the source field of the main search.

Ciao.

Giuseppe

anooshac
Communicator

I am getting as no results found. Will i be able to use this query if the inner query has more than 1 file as output? Is it because of that giving as no results found?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @anooshac,

as I said in my previous answer, probably the problem in in the format of the results, you should check the results of the two queries and see if they have the same format, e.g. have both the full path or not?

If they are different you have to modify the search to adapt to the different formats: e.g. use an asterisk or delete the full path and leave only the filename.

Ciao.

Giuseppe

0 Karma

anooshac
Communicator

Sorry.. missed that part. It is working fine now. Thanks a lot for the help!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @anooshac,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...