Not sure if this is possible through Splunk query but what i am trying to do is basically retrieve field value from one search and pass it into another and same is to be done twice to get desired result
Lets consider below 3 different events as _raw data
14:06:06.932 host=xyz type=xyz type_id=123
14:06:06.932 host=xyz type=abc category=foo status=success
14:30:15.124 host=xyz app=test
now 1st and second event are going into same index and sourcetype but 3rd event is in different index & sourcetype
1st and 2nd event are happening at exact same time.
Expected result is to return following field values
host type type_id category status app
Below is my search in which i am able to successfully correlate and find category and status field from second event
index=foo sourcetype=foo type=xyz
|eval earliest = _time
|eval latest = earliest + 0.001
|table host type type_id earliest latest
|map search="search index=foo sourcetype=foo type=abc host=$host$ earliest=$earliest$ latest=$latest$
|stats values(_time) as _time values(type) as type values(category) as category values(status) as status by host
|append
[search index=foo sourcetype=foo type=xyz
|stats values(type) as type values(type_id) as type_id by host]
|stats values(*) as * by host
the problem comes when i try to add another map search command to retrieve app value present in 3rd event.
so basically following mapping should provide me those result
|map search="search index=pqr sourcetype=pqr host=$host$ category=$category$ earliest=-1d latest=now|stats count by app
And then this app value is to be searched in one of the lookup files to get some details.
i have tried multiple ways to incorporate this into search but no luck.
Any help is appreciated.
My gut feel says that using map is not the right approach here - it has its uses but generally you can do things differently using stats.
Looking at the first 2 events, it seems you could combined those simply with
index=foo sourcetype=foo
| fields _time host type type_id category status
| stats values(*) as * by _time host
this assumes that a single host will have at most 1 pair of events, but I am not sure if your original version would have similar limitations.
Then I understand you are trying to get 'app' from the 3rd event to give you app related lookup data.
Your third event, from your search (sourcetype pqr), indicates it also has category, as well as app.
If that is supposed to have category data and the correlation between the 1+2 events and the 3rd is host+category, but the event can come before or after the 1+2 events, then MAYBE this could be done with a join.
I am not a fan of join, as it has limitations, but you could add in
| join host category [
search index=pqr sourcetype=pqr earliest=-1d latest=now
| stats values(app) as app by host category
]
If this search will return a small data set then a join may be an OK solution.