Splunk Search

how to create a single search where the output of the first query should act as input to the second query.

dina1701
Engager

We have two indexers in place. index=A & index=B. From index=A I have queried out the field which I want the value for.
index=A | search PC="*" | table ReqID index, this will return value to the field ReqID. Lets say ReqID=X.

Now I have to use the value of the above field ReqID=X and search in another index=B. In the index=B the same value carries a field name called RequestersID=X.

I have to create a search query in such way that output from the first index should automatically serve the purpose as input to the second index=B and provide a combine result in the form of table.
| table ReqID RequestersID index

Tags (1)
0 Karma

somesoni2
Revered Legend

You need to use subsearch like this

index=B [search index=A | search PC="*" | table ReqID | rename reqID as RequestersID ] | table RequesterID index

Since you're looking for events which has same RequesterID as ReqID in index A, both fields in your final table ReqID and RequestersID will be same, so I've not added it. If you need it , just add | eval ReqID =RequesterID at the end.

dina1701
Engager

Thanks somesoni2 for replying. Can you please anything further on this to obtain the results

I have tried executing this command, I was quite unsuccessful as there no events getting written
index=orsapps [ search index=esbapps | search E2E_busProcID="D1 7SH" | table ReqID | rename ReqID as RequestersID ] | rex "RequestersID>(?[^<]*)" | table RequestersID _time index

But when I type individual queries I am able to see the table -
index=orsapps
| rex "RequestersID>(?[^<]*)"
| table RequestersID _time index

Result -
RequestersID _time index
0610479853358211 2017-03-27 11:28:00 orsapps
0610479853358211 2017-03-27 11:28:00 orsapps
0610479853358211 2017-03-27 11:28:00 orsapps
0610479853358211 2017-03-27 11:28:00 orsapps
0610467479012357 2017-03-27 11:27:48 orsapps
0610467479012357 2017-03-27 11:27:48 orsapps
0610467479012357 2017-03-27 11:27:48 orsapps
0610467479012357 2017-03-27 11:27:48 orsapps

Individual subquery result -
search index=esbapps | search E2E_busProcID="D1 7SH" | table ReqID | rename ReqID as RequestersID

RequestersID _time index
0610479853358211 2017-03-27 11:29:06 esbapps
2017-03-27 11:29:06 esbapps
2017-03-27 11:29:06 esbapps
0610479853358211 2017-03-27 11:29:05 esbapps
0610467479012357 2017-03-27 11:28:55 esbapps
2017-03-27 11:28:54 esbapps
2017-03-27 11:28:54 esbapps
0610467479012357 2017-03-27 11:28:53 esbapps

Output of the first query is to be servered as the input to the first query. Can you please help me in getting all in a same table as in the final result. Final table format -
RequestersID _time index
xxxxx xxxxx esbapps
xxxxx xxxxx orsapps

0 Karma
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...