Splunk Search
Highlighted

Using Results from a search and use them in a new search

Path Finder

I'm trying to figure out if it's possible to take the results out of a search and define them and automatically use them in a subsearch. The results will change each time the search is ran.

As an example, in the log below I am pulling out "32573", "D2E8DB9A3F4761818F", "54461818232727001", and "18909934C1_4761819B". I've defined all of those as fields and now I want to be able to run a separate search that looks for logs that contain that information.

Nov 26 13:12:41 10.255.220.2 Nov 26 18:12:41 sm03 postfix/smtp[32573]: D2E8DB9A3F4761818F: to=, relay=127.0.0.1[127.0.0.1]:10025, delay=0.2, delays=0.01/0/0/0.19, dsn=2.0.0, status=sent (250 OK, sent 54461818232727001 1980934C1_4761819B)

Does anyone know if this is possible? If so can you just point me in the direction of what I could use to accomplish this?

Tags (1)
0 Karma
Highlighted

Re: Using Results from a search and use them in a new search

Path Finder

Hi akelly,

Have you tried looking at Workflows?

You can forward data from a field into a new search or to an external site?

Workflow Actions

http://docs.splunk.com/Splexicon:Workflowaction

0 Karma
Highlighted

Re: Using Results from a search and use them in a new search

Builder
0 Karma
Highlighted

Re: Using Results from a search and use them in a new search

Path Finder

I'm pretty sure Workflows are what you need as they can:

"Launch secondary Splunk Enterprise searches that use one or more field values from selected events"

Take a look here:

Workflows

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/CreateworkflowactionsinSplunkWeb?r=sear...

0 Karma