I'm looking to find everything that has the string "Task Failed". I want splunk to get the task_id and then use all those task_id's for another search which looks for different strings but only ones that also have the ID's it found in the initial search.
I think a subsearch would do the trick for you;
Assuming that you have sourcetype_A
containing the task_id
's you look for, and sourcetype_B
is where you want to search for different_string
where the task_id
matches.
sourcetype=sourcetype_B different_string=* [search sourcetype_A "Task failed" | fields + task_id]
the subsearch finds all events with "Task failed", and returns;
task_id=X OR task_id=Y OR task_id=Z
i.e. all task_id
's found, and they are passed as parameters to the outer search.
http://docs.splunk.com/Documentation/Splunk/latest/User/HowSubsearchesWork
Hope this helps,
Kristian
Thank you for that pointer gkanapathy. Seems much simpler to use 'return'... hadn't really looked at it.
tb582, did you get the search to work the way you wanted?
/k
then just use the same sourcetype name in both places. however, i would recommend using instead of fields
, the new return
command, as return 10000 task_id
. This basically combines fields
with dedup
, and makes explicit the number of task_ids max that will be considered.
its the same source type