Solved: Pass parameters from one search to a second

kmattern · ‎10-05-2011

On a daily basis a series of publications are distributed to a number of different accounts. The list of publications changes on a daily basis and is never repeated. The publications are transferred by a server named jkcs1. I have a search that gathers the names of publications created in the past 24 hours from that server. That search looks like this:

sourcetype="iis" jkcs1 /tm/ .pdf 
|makemv delim="/" cs_uri_stem 
| eval pubName=mvindex(cs_uri_stem,3) 
| fields pubName 
| stats list(pubName)

I need a second search that will take the output from the first search (pubName) and tell me how many of those publications were downloaded by each account. Not all accounts will download the same number of publications. I have a search that works perfectly if I hardcode the publication name. It looks like this:

sourcetype="iis" 01-110hcg-1b.pdf cs_username!="-" 
| eval cs_uri_stem=lower(cs_uri_stem) 
| chart count(cs_uri_stem) as Accounts by cs_uri_stem 
| rename cs_uri_stem as Publications 
| where Accounts >1

The output looks like this:

Publications       Accounts
01-110hcg-1b.pdf   24

What I want is something that combines both searches so that the second part gathers data based on the pubName field from the first search. The output would then look like this:

Publications                   Accounts
01-110hcg-1b.pdf               24
16-35mx3160-2.pdf              18
a1-v22ac-mrc-000.pdf           22
01-75pac-2-9.pdf               24

I’ve tried subsearches, appends, appendcols, outputcsv and inputcsv, map and just about everything else I can think of. I can easily get the list of publications but the Accounts column is always blank.

Is it possible to do what I want?

gkanapathy · ‎10-05-2011

You need:

sourcetype="iis cs_username!="-" 
[ search sourcetype="iis" jkcs1 /tm/ .pdf
  | makemv delim="/" cs_uri_stem | eval pubName=mvindex(cs_uri_stem,3) 
  | fields pubName | rename pubName as query ]
| eval cs_uri_stem=lower(cs_uri_stem) 
| chart count(cs_uri_stem) as Accounts by cs_uri_stem 
| rename cs_uri_stem as Publications 
| where Accounts >1

You use a standard subsearch, but the trick is to name your field "query". I have no idea if this is even documented.

View solution in original post

gkanapathy · ‎10-05-2011

You need:

sourcetype="iis cs_username!="-" 
[ search sourcetype="iis" jkcs1 /tm/ .pdf
  | makemv delim="/" cs_uri_stem | eval pubName=mvindex(cs_uri_stem,3) 
  | fields pubName | rename pubName as query ]
| eval cs_uri_stem=lower(cs_uri_stem) 
| chart count(cs_uri_stem) as Accounts by cs_uri_stem 
| rename cs_uri_stem as Publications 
| where Accounts >1

You use a standard subsearch, but the trick is to name your field "query". I have no idea if this is even documented.

hiyer · ‎07-12-2013

YOU ARE AMAZING

sideview · ‎10-05-2011

It does get touched on in the docs a bit. http://docs.splunk.com/Documentation/Splunk/latest/User/HowSubsearchesWork under the section titled "change the format of subsearch results" (which is now that I look at it, a bit of a misleading title for this info).

kmattern · ‎10-05-2011

Thanks! That's pretty close to what I want. I'll have to parse cs_uri_stem to remove the rest of the path for the file name. I have never seen anything about renaming teh field to "query" but if it works...

Pass parameters from one search to a second

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk