Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Pass arguments between two searches, different sources

atanasmitev
Path Finder
‎12-06-2014 03:31 AM

I am trying to perform a "for loop" splunk style, with two sources: source1 , source2. The searches right now looks like this:

1. source="source1" param1=value1 param2=value2 | stats values(token). I need the token for the next :

2. source="source2" param4="*" token

I tried ( but returns error: "Error in 'map': Did not find value for required attribute 'token":

source="source1" param1=value1 param2=value2 | stats values(token) | 
map maxsearches=10 search="search source="source2" param4="*"  token=$token$ | 
stats values(param4) by token "

Where am I wrong, and is there a way to optimize this ?
I tried source1 OR source2, but then I need multiple OR ( AND ( OR))) clauses to match multiple needed parameters.

Thanks in advance,

0 Karma
Reply

atanasmitev
Path Finder
‎12-18-2014 04:32 PM

The working solution looks like this (note, results may vary, depending on what fields you have extracted) :

index=common_index  source=source2 param5 param4="*"  
[ 
  search index=common_index source=source1 param1=value1 param2=value2  
|stats values(token) as omg 
|rename omg as query 
] 
| stats values(param4) by token

This thing returns results like so :

param4_value1  token1
param4_value2  token2
param4_value2  token3

etc.

martin_mueller, thanks one more time for helping 🙂

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎12-06-2014 05:40 AM

You're basically trying to use results from one search to filter the next? No problem with subsearches:

source="source2" param4="*" [search source="source1" param1=value1 param2=value2 | fields token | dedup token]

Open the job inspector to see the expression being returned by the subsearch, it'll be a huge ((OR))-behemoth.

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎12-07-2014 06:02 AM

Do post the exact search you're running and the debug info shown at the top of the job inspector.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎12-07-2014 03:37 AM

That's exactly what the search-subsearch combo in my answer does.

0 Karma
Reply

atanasmitev
Path Finder
‎12-07-2014 04:49 AM

The " [ inner search ] " returns the token alright , however it seems that the outer one doesn't understand the token provided ... I accepted your answer, as it seems the problem is related to my splunk instance 🙂

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎12-06-2014 08:04 AM

Do both sources have an extracted field token?

0 Karma
Reply

atanasmitev
Path Finder
‎12-07-2014 03:12 AM

Sorry for the delay.
Yes, both searches have "token" extracted.
I can manually perform search1- copy/paste "token" in search2, but I'd like to automate.

0 Karma
Reply

atanasmitev
Path Finder
‎12-06-2014 07:12 AM

True, but your way doesn't seem to be working.

The way I tried to do it , search 1 would return a list or single token like so:

tok_en1
tok_en2

What search 2 does is, foreach tok_en* get logged error message. It seems I need more time

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...