- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Pass the output of one query to another query
Hi,
My 1st query returns 3 fields output.Out of which one filed has to be given as input to the second query which fetches 3 fields along with this result value.
Kidnly help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
<your second query> [ search <your first query> | return <your field>] | table <your other fields>
The first query needs to go as a subsearch (the part in []) and return the needed field back to the main search (which in your case is the second query). You can select which field to use as a result in the main search with the return command. Normally it would look something like "field=value1 OR field=value2 OR ...."
If you need another return format, please refer to the command documentation: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Return
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The above doesnt seem to work.It returns me 0 results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Deepz2612 ,
You can go through these documentations of sub-search:-
https://docs.splunk.com/Documentation/Splunk/5.0/Tutorial/Useasubsearch
https://www.splunk.com/blog/2012/11/05/book-excerpt-finding-specific-transactions.html
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this as a starting point: YOUR_SEARCH | append [SECOND SEARCH]
You need to supply more details if you want better help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have events like below with Job name and Incident number
Index= abc
Job: scdefgh_tal1080_d_b
App: YSC
Incident_Create_Number: INC0000XXXXXXXX
So I wrote a query to extract them as below:
index=abc |rex field=notes "Job:(?.*)\nApp" |table Job Incident_Create_Number Incident_Create_Assigned_Group
I have events where like below having Job name and its status
Index= xyz
CAUAJM_I_40245 EVENT: CHANGE_STATUS STATUS: TERMINATED JOB: iascamdsp_tal1080_d_b
So I wrote a query to extract them as below:
index=xyz | rex "]\s+(?\S+)\s+(?:((EVENT:)?\s(?\S+)\s+(STATUS:)?\s+(?\S+)\s+(JOB:)?\s+(?\S+)(\s+(MACHINE:)?\s+(?\S+))?(\s+(EXITCODE:)?\s+(?\S+))?))" |search event_1="CHANGE_STATUS" |table Job Job_Status
Now I wanted to combine both.For the Job name in the first query I want its status from the second query.
I tried using Join but its not returning any results.
Kindly help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I assume you will have to use a join here:
index=abc |rex field=notes "Job:(?.*)\\nApp" | join Job [ index=xyz | rex "]\s+(?\S+)\s+(?:((EVENT:)?\s(?\S+)\s+(STATUS:)?\s+(?\S+)\s+(JOB:)?\s+(?\S+)(\s+(MACHINE:)?\s+(?\S+))?(\s+(EXITCODE:)?\s+(?\S+))?))" |search event_1="CHANGE_STATUS" |fields Job Job_Status] | table Job Job_Status Incident_Create_Number Incident_Create_Assigned_Group
