Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

distinct output from one splunk search as input to another

bmer
Explorer
‎05-12-2025 01:21 AM

Hi Team,

I have 2 splunks as below

  1. (index=xxxx) orgName=xxx sourcetype=CASE(SourceA) earliest=-15d uniqueIdentifier="Class.ClassName.MethodName*" | dedup SourceASqlId | tableSourceASqlId
  2. (index=xxxx) orgName=xxx sourcetype=CASE(SourceB) earliest=-15d SourceBSqlId=xxxx | table SourceBSqlText

I want to form a single splunk to get ALL the distinct "SourceASqlId" [splunk # 1], get them as input to "SourceBSqlId" [splunk #2] and generate FINAL output as "SourceBSqlText

How can we achieve it.Iam even ok if the date range can be reduce to say 2d to make the splunk optimised as I feel my requirement is very heavy compute intensive

Thanks.

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-12-2025 01:41 AM

The simplest way to do this (although perhaps not the most optimal) would be something like this

(index=xxxx) orgName=xxx sourcetype=CASE(SourceB) earliest=-15d [search (index=xxxx) orgName=xxx sourcetype=CASE(SourceA) earliest=-2d uniqueIdentifier="Class.ClassName.MethodName*" | dedup SourceASqlId | rename SourceASqlId as SourceBSqlId | table SourceBSqlId]
| table SourceBSqlText

Bear in mind that subsearches are limited to 50,000 events

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎05-12-2025 04:23 AM

There is most probably a better way to achieve your goal. Try to describe the logic behind what you're trying to do.

Anyway, 

| dedup A | table A

is usually _not_ the way to go. You'd rather want to do

| stats values(A) as A | mvexpand A

 

0 Karma
Reply
Solved! Jump to solution

bmer
Explorer
‎05-12-2025 02:32 AM

@ITWhisperer I received an error saying "Error in 'SearchParser': Missing a search command before '('.Error at position '90' of search query 'search (index=xxxx) CASE(SourceA) source..."

Also any reason why the outer search is of 15d whereas subsearch is set for 2d?Is it for the optimisation?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-12-2025 02:51 AM

Updated response - you said 2d would be OK - essentially, the subsearch needs to be fewer than 50,000 events, so if 15d matches that requirement, then use 15d otherwise use a smaller amount (like 2d as you suggested).

0 Karma
Reply
Solved! Jump to solution

livehybrid
Super Champion
‎05-12-2025 02:37 AM

Hi @bmer 

The subsearch is missing the "search" prefix, try this (adjusted to -2d as required)

(index=xxxx) orgName=xxx sourcetype=CASE(SourceB) earliest=-2d 
    [ search (index=xxxx) orgName=xxx sourcetype=CASE(SourceA) earliest=-2d uniqueIdentifier="Class.ClassName.MethodName*" 
    | dedup SourceASqlId 
    | rename SourceASqlId as SourceBSqlId 
    | table SourceBSqlId] 
| table SourceBSqlText

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-12-2025 01:41 AM

The simplest way to do this (although perhaps not the most optimal) would be something like this

(index=xxxx) orgName=xxx sourcetype=CASE(SourceB) earliest=-15d [search (index=xxxx) orgName=xxx sourcetype=CASE(SourceA) earliest=-2d uniqueIdentifier="Class.ClassName.MethodName*" | dedup SourceASqlId | rename SourceASqlId as SourceBSqlId | table SourceBSqlId]
| table SourceBSqlText

Bear in mind that subsearches are limited to 50,000 events

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...