Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use search field as an input in another search query within same index.

abhijeet
Observer
‎11-30-2020 09:09 PM

Hello Friends, 

I am trying to fetch value of "F5_device"  from search and use as a input to another search to find the result of "syslog_severity". both fields are belongs to same index and sourcetype. 

I tried following subsearch query but noticed vast difference between output if ran query separately. 

index="f5" sourcetype="f5:enterprise" [search index="f5" sourcetype="f5:enterprise" AND (F5_URL=*abc.com* OR F5_vip=*abc.com* ) | fields + F5_device] |stats count by syslog_severity

Also from another  thread i do understand that subsearch have limitation so please suggest if there is any alternative option available for subsearch. I would like to use this query within dashboard.

Thank you in advance.  

 

 

 

 

Labels (1)
Labels
0 Karma
Reply

renjith_nair
SplunkTrust
SplunkTrust
‎11-30-2020 10:03 PM

If they are from same index and sourcetype, you probably could add the filters to F5_device in the same search.

 index="f5" sourcetype="f5:enterprise" AND (F5_URL=*abc.com* OR F5_vip=*abc.com* ) F5_device=* |stats count by syslog_severity

 Please let's know if your requirement is different from above

0 Karma
Reply

abhijeet
Observer
‎11-30-2020 11:51 PM

Hi Renjith, 

Thank you for reply. This is not the  output actually i am looking for.  index="f5" sourcetype="f5:enterprise" AND (F5_URL=*abc.com* OR F5_vip=*abc.com* ) is a subset of "index="f5" sourcetype="f5:enterprise" F5_device=* ".  Dashboard allows user to search for "F5_URL" and it will locate F5 device were url is hosted. Once device is located then we would like to run another query (within same dashboard) to check what different syslog events are reported by that device. 

 

 

 

0 Karma
Reply

renjith_nair
SplunkTrust
SplunkTrust
‎12-01-2020 12:06 AM

Ok, are these urls and syslog entries are in different events and do they have F5 device common in them?

Do you have some sample events for them ? Mostly we should be able to combine them.

On another note, are you trying to implement a drill-down functionality?

If your searches are enabled with tokens in the dashboard, you can substitute the device with token value to get the syslog events as you might already know.

 

0 Karma
Reply
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!

Get Updates on the Splunk Community!