Solved: Re: Using the Output from a Search in One Index to...

JoeHubner · ‎03-25-2022

I am looking to search in one Index for a specific field name and then use a second field from that Index to search a second Index for that value. For example

IndexA has field names Project and IRNumber / IndexB has a field named InternalRequest

IRNumber in Index A and InternalRequest in IndexB are the same values

I would like to search IndexA by Project and then use the associated IRNumber from IndexA to search IndexB for the InternalRequest with the same value and then table various values from IndexB associated with that InternalRequest value. Is there some way to use a sub-search to do this?

JoeHubner · ‎03-25-2022

Worked like a charm. Thanks for the assistance.

View solution in original post

JoeHubner · ‎03-25-2022

Worked like a charm. Thanks for the assistance.

ITWhisperer · ‎03-25-2022

You can do this with subsearches either by adding the subsearch to the main search, or by using a join, or possibly using stats

For example:

index=B [| search index=A project=X | dedup IRNumber | rename IRNumber as InternalRequest | fields InternalRequest]

Using the Output from a Search in One Index to Search in a Second Index

subsearch

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!