Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Retrieving data from one query and using it to find data from another

momagic
Engager
‎01-31-2025 02:23 PM

I have a query From source A that i need to get a list of 3 parameters back and for one of these parameters which is a ID and i need to get the the actual name of the object from another query from source B using this ID. Eventually i need  i want to create a table to print the 3 parameter including the name also. Any help would be greatly appreciated?

Labels (3)
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎01-31-2025 11:37 PM

To receive help in Splunk search, it is best to give more concrete information, even if you use mock names and values.

Assuming the two different sources are sourcetype sourceA and sourceB.  The 3 parameters in sourceA are named "ID", "param2", and "param3".  Further assume that sourceB has the same field name "ID" to match that in sourceA, and that "actual name of the object" is in field named "name".  Assuming that all these fields are already extracted.

sourcetype IN (sourceA, sourceB)
| stats values(name) as name values(param2) as param2 values(param3) as param3 by ID

 

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-31-2025 10:57 PM

Hi @momagic ,

you have to use a subsearch:

create a main query containing the data to display,

adding as subsearch (putting it between square brackets and adding the search command at the beginning) the search containing the parameters,

then you can display the fields you want.

You have to put attention to two things:

  • at the end of the subsearch yo have to use a command as table or fields to list only the fields used as filters,
  • the fields from the subsearch must have exactly (case sensitive) the same names of the fields in the main search.

For example, if the fields to use to filter events are FieldA and FieldB but ib the subsearch there are also other fields, you should write:

index=index1 [ search index=index2 | fields FieldA FieldB ]
| table _time host field1 field2 FieldA FieldB

If you haven't much experience on Splunk searches and you didn't followed a course (there are many free courses in Splunk), you could follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/SplunkCloud/9.3.2408/SearchTutorial/WelcometotheSearchTutorial) that explain how to use Splunk for searching, and here you can find a description of how to use subsearches https://docs.splunk.com/Documentation/SplunkCloud/9.3.2408/SearchTutorial/Useasubsearch

Ciao.

Giuseppe

Ciao.

Giuseppe

Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...
Top