Splunk Search

How to use search field as an input in another search query within same index.

abhijeet
Observer

Hello Friends, 

I am trying to fetch value of "F5_device"  from search and use as a input to another search to find the result of "syslog_severity". both fields are belongs to same index and sourcetype. 

I tried following subsearch query but noticed vast difference between output if ran query separately. 

index="f5" sourcetype="f5:enterprise" [search index="f5" sourcetype="f5:enterprise" AND (F5_URL=*abc.com* OR F5_vip=*abc.com* ) | fields + F5_device] |stats count by syslog_severity

Also from another  thread i do understand that subsearch have limitation so please suggest if there is any alternative option available for subsearch. I would like to use this query within dashboard.

Thank you in advance.  

 

 

 

 

Labels (1)
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

If they are from same index and sourcetype, you probably could add the filters to F5_device in the same search.

 index="f5" sourcetype="f5:enterprise" AND (F5_URL=*abc.com* OR F5_vip=*abc.com* ) F5_device=* |stats count by syslog_severity

 Please let's know if your requirement is different from above

0 Karma

abhijeet
Observer

Hi Renjith, 

Thank you for reply. This is not the  output actually i am looking for.  index="f5" sourcetype="f5:enterprise" AND (F5_URL=*abc.com* OR F5_vip=*abc.com* ) is a subset of "index="f5" sourcetype="f5:enterprise" F5_device=* ".  Dashboard allows user to search for "F5_URL" and it will locate F5 device were url is hosted. Once device is located then we would like to run another query (within same dashboard) to check what different syslog events are reported by that device. 

 

 

 

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Ok, are these urls and syslog entries are in different events and do they have F5 device common in them?

Do you have some sample events for them ? Mostly we should be able to combine them.

On another note, are you trying to implement a drill-down functionality?

If your searches are enabled with tokens in the dashboard, you can substitute the device with token value to get the syslog events as you might already know.

 

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!