Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Using Results from a search and use them in a new search

akelly4
Path Finder
‎12-03-2014 05:26 AM

I'm trying to figure out if it's possible to take the results out of a search and define them and automatically use them in a subsearch. The results will change each time the search is ran.

As an example, in the log below I am pulling out "32573", "D2E8DB9A3F_4761818F", "54461818_23272_700_1", and "18909934C1_4761819B". I've defined all of those as fields and now I want to be able to run a separate search that looks for logs that contain that information.

Nov 26 13:12:41 10.255.220.2 Nov 26 18:12:41 sm03 postfix/smtp[32573]: D2E8DB9A3F_4761818F: to=, relay=127.0.0.1[127.0.0.1]:10025, delay=0.2, delays=0.01/0/0/0.19, dsn=2.0.0, status=sent (250 OK, sent 54461818_23272_700_1 1980934C1_4761819B)

Does anyone know if this is possible? If so can you just point me in the direction of what I could use to accomplish this?

Tags (1)
0 Karma
Reply

kendrickt
Path Finder
‎12-03-2014 07:17 AM

I'm pretty sure Workflows are what you need as they can:

"Launch secondary Splunk Enterprise searches that use one or more field values from selected events"

Take a look here:

Workflows

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/CreateworkflowactionsinSplunkWeb?r=sear...

0 Karma
Reply

changux
Builder
‎12-03-2014 07:08 AM

Hi. Maybe a search macro can be useful:

http://docs.splunk.com/Documentation/Splunk/6.2.0/Search/Usesearchmacros

0 Karma
Reply

kendrickt
Path Finder
‎12-03-2014 06:57 AM

Hi akelly,

Have you tried looking at Workflows?

You can forward data from a field into a new search or to an external site?

Workflow Actions

http://docs.splunk.com/Splexicon:Workflowaction

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...