Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use output of a 1st query as input in second query.

satyajit7
Explorer
‎04-13-2021 11:36 PM

I have a 1st query by taking input from the dashboard and where I got id as a result from that. And I want to use that id fetch from the 1st query , in my 2nd query as input and show the required fileds which is available in 2nd query on dashboard.

 

N.B:- I know join but facing issue in how to pass that id as a variable to the 2nd query

Actually it need to be work on a dashboard.

 

Can someone please help.

@niketn 

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎04-14-2021 11:15 AM

You can try below with only one search, subsearch output will be used as a filter for your second query. You can play with the token places according to your searches.

... | search [ search $token_account_id$ earliest=$token_time.earliest$ latest=$token_time.latest$| rex "txnid".{5}(?<TXNID>.*?(?=\\\))"|dedup TXNID | fields TXNID ] | rex "custid".{5}(?<custid>.*?(?=\\\))"| rex "custname".{5}(?<custname>.*?(?=\\\))"| rex "pdate".{5}(?<pdate>.*?(?=\\\))"|table custid, custname, pdate| rename custid as CustomerID, custname as Customer Name, pdate as Purchase Date

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎04-14-2021 11:15 AM

You can try below with only one search, subsearch output will be used as a filter for your second query. You can play with the token places according to your searches.

... | search [ search $token_account_id$ earliest=$token_time.earliest$ latest=$token_time.latest$| rex "txnid".{5}(?<TXNID>.*?(?=\\\))"|dedup TXNID | fields TXNID ] | rex "custid".{5}(?<custid>.*?(?=\\\))"| rex "custname".{5}(?<custname>.*?(?=\\\))"| rex "pdate".{5}(?<pdate>.*?(?=\\\))"|table custid, custname, pdate| rename custid as CustomerID, custname as Customer Name, pdate as Purchase Date

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

satyajit7
Explorer
‎04-14-2021 10:47 PM

@scelikok thanks so much. I just put join instead of | search and it worked magically.

 

My final query will be like 

... | Join [ search $token_account_id$ earliest=$token_time.earliest$ latest=$token_time.latest$| rex "txnid".{5}(?<TXNID>.*?(?=\\\))"|dedup TXNID | fields TXNID ] | rex "custid".{5}(?<custid>.*?(?=\\\))"| rex "custname".{5}(?<custname>.*?(?=\\\))"| rex "pdate".{5}(?<pdate>.*?(?=\\\))"|table custid, custname, pdate| rename custid as CustomerID, custname as Customer Name, pdate as Purchase Date 

0 Karma
Reply
Solved! Jump to solution

satyajit7
Explorer
‎04-14-2021 10:41 PM

Thanks for your reply. I tried this subsearch approach but seems it didn't give me any results

0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎04-13-2021 11:39 PM

Hi @satyajit7,

You can use 1nd query as a subsearch or use map command. If you can share your sample queries, we can help to build the query.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

satyajit7
Explorer
‎04-14-2021 03:39 AM

Thanks @scelikok  for the reply.

Mu sample query

1st query

...| rex "txnid".{5}(?<TXNID>.*?(?=\\\))"|dedup TXNID 

2nd query 

... Need to pass that TXNID here | rex "custid".{5}(?<custid>.*?(?=\\\))"| rex "custname".{5}(?<custname>.*?(?=\\\))"| rex "pdate".{5}(?<pdate>.*?(?=\\\))"|table custid, custname, pdate| rename custid as CustomerID, custname as Customer Name, pdate as Purchase Date 

 

NB:-

I will use this in the dashboard. In the dashboard I have one input text and a date filed which user need to provide. User will provide account id which need to be on 1st query based on the account and time stamo it will fetch the txnid and using that txnid need to fetch and show in the dashboard.

 

 

 

 

 

 

 

 

 

 

 

0 Karma
Reply
Solved! Jump to solution

satyajit7
Explorer
‎04-15-2021 01:30 AM

@Burch can you please help me. Still I'm facing issue to use the output of the 1st query in my 2nd query.

 

And my 2nd query is complex one as it contains 3 join query but all 3 required txn id as input also

0 Karma
Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎04-15-2021 09:40 AM

Hi, this is Burch. It looks like there is an accepted answer and others are already actively working with you on this. Is that not the case? If not, then perhaps un-accept the answer and let's make it clear that all are able to help you rather than specific people.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...