How to write a query which take all this values an...

Mofizul · ‎02-23-2022

index=instance1 sourcetype=source1 "Invalid-Access" | fields reqId | table reqId

The above query gives me a table as below

12A

32B

34C

Unable to write a query which take all this values and search for results in different sourcetype=source2.

Tried this below but not getting the results. Can anyone help ?

index=instance1 sourcetype=source2 [search index=instance1 sourcetype=source1 "Invalid-Access" | fields reqId | table reqId]

PickleRick · ‎02-23-2022

Depends on what exactly you want to achieve.

Your search will effectively be expanded in run-time using subsearch results to

index=instance1 sourcetype=source2 ( reqId=12A OR reqId=32B OR reqId=34C)

Is that what you wanted?

Mofizul · ‎02-23-2022

Yes .

richgalloway · ‎02-23-2022

Use the format command instead of table to put the results of the subsearch into a format that can be queried. Note that source1 and source2 must both have a field called 'reqId' or the subsearch will have to rename reqId to whatever source1 uses.

index=instance1 sourcetype=source2 [search index=instance1 sourcetype=source1 "Invalid-Access" | fields reqId | format ]

---
If this reply helps you, Karma would be appreciated.

Mofizul · ‎02-23-2022

Source1 has reqId but source 2 has the same value as reqId but it is a string.

How to write a query which take all this values and search for results in different sourcetype=source2?

subsearch

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?