Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use values from one search to another search?

batuhankutluca
Explorer
‎03-18-2019 06:53 AM

Hello,
I have a certain search that returns me many fields with values. Next thing I wanna do is get values of "src_ip" field and use them on an other search. I assume I can do that with a subsearch but I it is a bit cost. Other solution I thought was upload the first search's output as csv and get values form lookup but I'm not allowed to upload lookups. Can someone help me about that? Thanks.
(TLDR - Don't wanna use subsearch, need a solution.)

Ex Search: sourcetype=xxx | table src_ip -> sourcetype=yyy srcip=$src_ip$

Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎03-18-2019 07:06 AM

Hi @batuhankutluca
You don't need to upload a CSV, you can create one on-the-fly like this:

sourcetype=xxx | table src_ip dvc|outputlookup ip_to_dvc.csv

Then you can do:

sourcetype=yyy |lookup ip_to_dvc.csv src_ip as srcip OUTPUT dvc
If my comment helps, please give it a thumbs up!

View solution in original post

Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎03-18-2019 07:06 AM

Hi @batuhankutluca
You don't need to upload a CSV, you can create one on-the-fly like this:

sourcetype=xxx | table src_ip dvc|outputlookup ip_to_dvc.csv

Then you can do:

sourcetype=yyy |lookup ip_to_dvc.csv src_ip as srcip OUTPUT dvc
If my comment helps, please give it a thumbs up!
Reply
Solved! Jump to solution

batuhankutluca
Explorer
‎03-18-2019 07:09 AM

So this doesn't work like subsearch right ? It saves the output of the first search to somewhere and get values for the second search from there ?

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎03-18-2019 07:15 AM

Correct, you can run this as two different searches.
This is commonly done to generate a lookup file once a day/hour etc, so you can then use it it subsequent searches.

If you wanted to run all the elements at once, there are a number of ways - subsearch as you have mentioned (but ruled out) a 'join' (also performance sucking), or couple of options with a event/stream stats commands, or even with an append.

Personally, I like the separate lookup option, but it all depends on your uses case.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

batuhankutluca
Explorer
‎03-18-2019 07:24 AM

Oh It fits for my problem then. Yeah as You mentioned that join and subsearch consume much resource. This method is just I wanted. Thanks sir!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...