Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Pass the output of one query to another query

Deepz2612
Explorer
‎02-12-2019 03:02 AM

Hi,
My 1st query returns 3 fields output.Out of which one filed has to be given as input to the second query which fetches 3 fields along with this result value.
Kidnly help

Tags (1)
0 Karma
Reply

DMohn
Motivator
‎02-12-2019 05:17 AM 
<your second query> [ search <your first query> | return <your field>] | table <your other fields>

The first query needs to go as a subsearch (the part in []) and return the needed field back to the main search (which in your case is the second query). You can select which field to use as a result in the main search with the return command. Normally it would look something like "field=value1 OR field=value2 OR ...."
If you need another return format, please refer to the command documentation: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Return

0 Karma
Reply

Deepz2612
Explorer
‎02-12-2019 11:38 PM

Hi,

The above doesnt seem to work.It returns me 0 results.

0 Karma
Reply

MoniM
Communicator
‎02-12-2019 03:21 AM

Hi @Deepz2612 ,
You can go through these documentations of sub-search:-

https://docs.splunk.com/Documentation/Splunk/5.0/Tutorial/Useasubsearch

https://www.splunk.com/blog/2012/11/05/book-excerpt-finding-specific-transactions.html

Thanks

0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎02-12-2019 03:06 AM

Try this as a starting point: YOUR_SEARCH | append [SECOND SEARCH]

You need to supply more details if you want better help.

0 Karma
Reply

Deepz2612
Explorer
‎02-12-2019 03:58 AM

I have events like below with Job name and Incident number

Index= abc
Job: scdefgh_tal1080_d_b
App: YSC
Incident_Create_Number: INC0000XXXXXXXX

So I wrote a query to extract them as below:
index=abc |rex field=notes "Job:(?.*)\nApp" |table Job Incident_Create_Number Incident_Create_Assigned_Group

I have events where like below having Job name and its status
Index= xyz
CAUAJM_I_40245 EVENT: CHANGE_STATUS STATUS: TERMINATED JOB: iascamdsp_tal1080_d_b

So I wrote a query to extract them as below:
index=xyz | rex "]\s+(?\S+)\s+(?:((EVENT:)?\s(?\S+)\s+(STATUS:)?\s+(?\S+)\s+(JOB:)?\s+(?\S+)(\s+(MACHINE:)?\s+(?\S+))?(\s+(EXITCODE:)?\s+(?\S+))?))" |search event_1="CHANGE_STATUS" |table Job Job_Status

Now I wanted to combine both.For the Job name in the first query I want its status from the second query.
I tried using Join but its not returning any results.
Kindly help!

0 Karma
Reply

DMohn
Motivator
‎02-12-2019 05:40 AM

I assume you will have to use a join here:

index=abc |rex field=notes "Job:(?.*)\\nApp" | join Job [ index=xyz | rex "]\s+(?\S+)\s+(?:((EVENT:)?\s(?\S+)\s+(STATUS:)?\s+(?\S+)\s+(JOB:)?\s+(?\S+)(\s+(MACHINE:)?\s+(?\S+))?(\s+(EXITCODE:)?\s+(?\S+))?))" |search event_1="CHANGE_STATUS" |fields Job Job_Status] | table Job  Job_Status Incident_Create_Number Incident_Create_Assigned_Group
0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top