Re: Nested query - Page 5

vihshah · ‎01-26-2024

Hi,

So my task is to extract a field from a query and search for that field. That query will give an object value as a string and want to extract data from there.

In summary, I need 3 things
1. plain query to get the data and extract a particular field.
2. Use that field as an input for the second query.
3. Get object data as a string as a result, extract fields from there, and generate a report from it in tabular format.

I was able to reach till 1st step and extract the field from it. but I am unable to search for it.
below is the query I tried.

sourcetype="mykube.source" "failed request" | rex "failed request:(?<request_id>[\w-]+)" | table request_id | head 1 | eval req_query = request_id | search req_query

if I try till `head 1` I get first request_id but after that result is empty for me.

ITWhisperer · ‎02-10-2024

How many of them had "failed request" in?

How many of those were able to extract request id?

Nested query

eval

search job inspector

subsearch

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation