Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using results from one search as a filter for another

dmacl
Explorer
‎09-28-2021 09:56 AM

Hi,

I'm trying to filter the results from one search based on the results from another search.

Example:

Consider the following table of data

usereventId
Joe1
Joe2
Bob3

 

I have created a search that returns only eventIds generated by user Joe and creates a token with the result

 

 

 

 

 

<search>
    <query> "event created" user=Joe | table eventId </query>
        <done>
            <set token="eventId">$result.eventId$</set>
        </done>
</search>

 

 

 

 

 

 

I have another table with the following data

eventIdeventName
1myEvent_1
2myEvent_2
3myEvent_3

 

What I would like to do is create a search that will return just the eventId and eventName that was generated by user Joe using the token created in the first search. So far I have this query

 

 

 

 

 

"event names" eventId=$eventId$ | table eventId eventName

 

 

 

 

 

This query is only returning the first result from the token list rather than every result. Is there a way to use the token this way to return results from all values in the token? I would like to avoid using JOIN or subsearches as I will need to create multiple tables with the same token filter and those methods would start to get very slow. Thanks in advance!

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-29-2021 05:37 AM

You could try this

| stats list(*) as *

which should give you multivalue fields for all non-null columns - the issue with this is that if any of the rows have nulls in some of the time, the rows across the multivalue fields become misaligned.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-28-2021 09:59 AM

Try something like this

 

"event names" [search "event created" user=Joe | table eventId | table eventId eventName

 

 

Reply
Solved! Jump to solution

dmacl
Explorer
‎09-29-2021 05:11 AM

Thank you, this solution works.  Is there a way to cache the results from the inner search though? I need to run the same inner search multiple times and would be cautious of the performance of doing so.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-28-2021 09:58 AM

You only have access to the first row of results. If you want more data, you will have to rewrite the first search to return the data in the first row.

0 Karma
Reply
Solved! Jump to solution

dmacl
Explorer
‎09-29-2021 05:11 AM

Thanks for the reply, how would I go about rewriting the first search to return all the data in the first row?

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-29-2021 05:37 AM

You could try this

| stats list(*) as *

which should give you multivalue fields for all non-null columns - the issue with this is that if any of the rows have nulls in some of the time, the rows across the multivalue fields become misaligned.

0 Karma
Reply
Solved! Jump to solution

dmacl
Explorer
‎10-01-2021 02:30 AM

Thank you! This does exactly what I needed. So I used the stats list as you mentioned

 

<search>
    <query> "event created" user=Joe | stats list(eventId) as eventId </query>
        <done>
            <set token="eventId">$result.eventId$</set>
        </done>
</search>

 

and I was able to use the token in my later searches using IN

 

"event names" | search eventId IN($eventId$) | table eventId eventName

 

  I've accepted this answer because it uses the cached values which was important for my requirements

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top