Searching the results of a query in a different in...

9jamie · ‎04-26-2022

I have a query that returns a table of extracted IDs:

index=my_index | rex field=_raw "ID=\[(?<id>.*\]\[.*\]" | table id

I simply need to search the results of the above query under a different index, then return a stats count by a field from that index. I've tried using subsearch and join but must not be using them correctly as no results are returned. What would be the correct way to do this?

ITWhisperer · ‎04-27-2022

index=other_index [ index=my_index | rex field=_raw "ID=\[(?<id>.*\]\[.*\]" | table id ]

VatsalJagani · ‎04-26-2022

@9jamie - I may be wrong here but have you tried running something like this?

index=* | rex field=_raw "ID=\[(?<id>.*\]\[.*\]" 
| stats count by id, index

I hope this helps!!! Karma/Upvote would be appreciated!!

bowesmana · ‎04-26-2022

Please give details of the subsearch you have tried

shivanshu1593 · ‎04-26-2022

Hello,

You can try the following and pick what best suits your requirements:

1. Via Join:

index=my_index 
| rex field=_raw "ID=\[(?<id>.*\]\[.*\]"
| table id 
| join id [ search index=foo | table id bar] 
| stats count by bar id

2. By multisearch:

| multisearch [search index=myindex | rex field=_raw "ID=\[(?<id>.*\]\[.*\]"| fields id baz]
[search index=foo | rename id as id2 | fields id2 bar]
| eval match = if(id=id2, 1, 0)
| where match = "1"
| stats count by bar Baz id

Hope this helps,

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

Searching the results of a query in a different index

join

subsearch

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation