Splunk Search

how to create a single search where the output of the first query should act as input to the second query.

dina1701
Engager

We have two indexers in place. index=A & index=B. From index=A I have queried out the field which I want the value for.
index=A | search PC="*" | table ReqID index, this will return value to the field ReqID. Lets say ReqID=X.

Now I have to use the value of the above field ReqID=X and search in another index=B. In the index=B the same value carries a field name called RequestersID=X.

I have to create a search query in such way that output from the first index should automatically serve the purpose as input to the second index=B and provide a combine result in the form of table.
| table ReqID RequestersID index

Tags (1)
0 Karma

somesoni2
Revered Legend

You need to use subsearch like this

index=B [search index=A | search PC="*" | table ReqID | rename reqID as RequestersID ] | table RequesterID index

Since you're looking for events which has same RequesterID as ReqID in index A, both fields in your final table ReqID and RequestersID will be same, so I've not added it. If you need it , just add | eval ReqID =RequesterID at the end.

dina1701
Engager

Thanks somesoni2 for replying. Can you please anything further on this to obtain the results

I have tried executing this command, I was quite unsuccessful as there no events getting written
index=orsapps [ search index=esbapps | search E2E_busProcID="D1 7SH" | table ReqID | rename ReqID as RequestersID ] | rex "RequestersID>(?[^<]*)" | table RequestersID _time index

But when I type individual queries I am able to see the table -
index=orsapps
| rex "RequestersID>(?[^<]*)"
| table RequestersID _time index

Result -
RequestersID _time index
0610479853358211 2017-03-27 11:28:00 orsapps
0610479853358211 2017-03-27 11:28:00 orsapps
0610479853358211 2017-03-27 11:28:00 orsapps
0610479853358211 2017-03-27 11:28:00 orsapps
0610467479012357 2017-03-27 11:27:48 orsapps
0610467479012357 2017-03-27 11:27:48 orsapps
0610467479012357 2017-03-27 11:27:48 orsapps
0610467479012357 2017-03-27 11:27:48 orsapps

Individual subquery result -
search index=esbapps | search E2E_busProcID="D1 7SH" | table ReqID | rename ReqID as RequestersID

RequestersID _time index
0610479853358211 2017-03-27 11:29:06 esbapps
2017-03-27 11:29:06 esbapps
2017-03-27 11:29:06 esbapps
0610479853358211 2017-03-27 11:29:05 esbapps
0610467479012357 2017-03-27 11:28:55 esbapps
2017-03-27 11:28:54 esbapps
2017-03-27 11:28:54 esbapps
0610467479012357 2017-03-27 11:28:53 esbapps

Output of the first query is to be servered as the input to the first query. Can you please help me in getting all in a same table as in the final result. Final table format -
RequestersID _time index
xxxxx xxxxx esbapps
xxxxx xxxxx orsapps

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...