Splunk Search

Pass arguments between two searches, different sources

atanasmitev
Path Finder

I am trying to perform a "for loop" splunk style, with two sources: source1 , source2. The searches right now looks like this:

1. source="source1" param1=value1 param2=value2 | stats values(token). I need the token for the next :

2. source="source2" param4="*" token

I tried ( but returns error: "Error in 'map': Did not find value for required attribute 'token":

source="source1" param1=value1 param2=value2 | stats values(token) | 
map maxsearches=10 search="search source="source2" param4="*"  token=$token$ | 
stats values(param4) by token "

Where am I wrong, and is there a way to optimize this ?
I tried source1 OR source2, but then I need multiple OR ( AND ( OR))) clauses to match multiple needed parameters.

Thanks in advance,

0 Karma

atanasmitev
Path Finder

The working solution looks like this (note, results may vary, depending on what fields you have extracted) :

index=common_index  source=source2 param5 param4="*"  
[ 
  search index=common_index source=source1 param1=value1 param2=value2  
|stats values(token) as omg 
|rename omg as query 
] 
| stats values(param4) by token

This thing returns results like so :

param4_value1  token1
param4_value2  token2
param4_value2  token3

etc. 

martin_mueller, thanks one more time for helping 🙂

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You're basically trying to use results from one search to filter the next? No problem with subsearches:

source="source2" param4="*" [search source="source1" param1=value1 param2=value2 | fields token | dedup token]

Open the job inspector to see the expression being returned by the subsearch, it'll be a huge ((OR))-behemoth.

martin_mueller
SplunkTrust
SplunkTrust

Do post the exact search you're running and the debug info shown at the top of the job inspector.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

That's exactly what the search-subsearch combo in my answer does.

0 Karma

atanasmitev
Path Finder

The " [ inner search ] " returns the token alright , however it seems that the outer one doesn't understand the token provided ... I accepted your answer, as it seems the problem is related to my splunk instance 🙂

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Do both sources have an extracted field token?

0 Karma

atanasmitev
Path Finder

Sorry for the delay.
Yes, both searches have "token" extracted.
I can manually perform search1- copy/paste "token" in search2, but I'd like to automate.

0 Karma

atanasmitev
Path Finder

True, but your way doesn't seem to be working.

The way I tried to do it , search 1 would return a list or single token like so:

tok_en1
tok_en2

What search 2 does is, foreach tok_en* get logged error message. It seems I need more time

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...