Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use values from one search to another search?

batuhankutluca
Explorer
‎03-18-2019 06:53 AM

Hello,
I have a certain search that returns me many fields with values. Next thing I wanna do is get values of "src_ip" field and use them on an other search. I assume I can do that with a subsearch but I it is a bit cost. Other solution I thought was upload the first search's output as csv and get values form lookup but I'm not allowed to upload lookups. Can someone help me about that? Thanks.
(TLDR - Don't wanna use subsearch, need a solution.)

Ex Search: sourcetype=xxx | table src_ip -> sourcetype=yyy srcip=$src_ip$

Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎03-18-2019 07:06 AM

Hi @batuhankutluca
You don't need to upload a CSV, you can create one on-the-fly like this:

sourcetype=xxx | table src_ip dvc|outputlookup ip_to_dvc.csv

Then you can do:

sourcetype=yyy |lookup ip_to_dvc.csv src_ip as srcip OUTPUT dvc
If my comment helps, please give it a thumbs up!

View solution in original post

Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎03-18-2019 07:06 AM

Hi @batuhankutluca
You don't need to upload a CSV, you can create one on-the-fly like this:

sourcetype=xxx | table src_ip dvc|outputlookup ip_to_dvc.csv

Then you can do:

sourcetype=yyy |lookup ip_to_dvc.csv src_ip as srcip OUTPUT dvc
If my comment helps, please give it a thumbs up!
Reply
Solved! Jump to solution

batuhankutluca
Explorer
‎03-18-2019 07:09 AM

So this doesn't work like subsearch right ? It saves the output of the first search to somewhere and get values for the second search from there ?

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎03-18-2019 07:15 AM

Correct, you can run this as two different searches.
This is commonly done to generate a lookup file once a day/hour etc, so you can then use it it subsequent searches.

If you wanted to run all the elements at once, there are a number of ways - subsearch as you have mentioned (but ruled out) a 'join' (also performance sucking), or couple of options with a event/stream stats commands, or even with an append.

Personally, I like the separate lookup option, but it all depends on your uses case.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

batuhankutluca
Explorer
‎03-18-2019 07:24 AM

Oh It fits for my problem then. Yeah as You mentioned that join and subsearch consume much resource. This method is just I wanted. Thanks sir!

0 Karma
Reply
Get Updates on the Splunk Community!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...