Parse a value and then use that as new query to se...

zakirhere · ‎02-20-2023

Hi,

I have an unusual scenario for the data I am working with and would like to see if it's even possible to extract data this way. In brief, I parsed a value from my initial search query to a variable using rex and now I want to use only that value as new query instead of sub-query.

Workflow:

Find all successful test runs for a suite (this is a long query)
Find reporting_url via event on each run
Parse uuid from reporting_url (I used rex on raw data and saved it on variable like res_uuid)
Search only that uuid as that has multiple test_id records showing count of Pass/Fail counts.
(Eventually create a graph for the same)

Trying to make a simple example:

First query -> Gives test suite level record. Parse to get UUID value

Second query -> Independent query using that UUID and then use that for making graph. Please note that 2nd query results not linked with 1st query and sub-search will only give one record.

(Apologies if it's a very common workflow but I was not able to search it easily)

scelikok · ‎02-20-2023

Hi @zakirhere,

You can append the new UUID value to a lookup, your second search use that lookup for the graph.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

zakirhere · ‎02-21-2023

Lookup on that result only shows results from the parent level (meaning same result). I checked in other groups and looks like I have to use some external programming language to pass these variable values and start a new query.

Parse a value and then use that as new query to search?

field extraction

rex

search job inspector

stats

Buttercup Games Tutorial Extension - part 9

Buttercup Games Tutorial Extension - part 8

Introducing the Splunk Developer Program!

Are you a member of the Splunk Community?