how to pass the output of one query as search key ...

bkumarm · ‎09-27-2018

I have raw events that look as below:

2018:08:22:22:39:51.731 myhostname 3:INFO MY_IDENTIFIER_TEST 548026790130303164 454
2018:08:22:22:39:51.731 myhostname 3:INFO MY_STR_METHOD_ACTION.COMPONENT TEST 548026790130303164
2018:08:22:22:39:51.752 myhostname 1:ERR1 MY_SERVICE_TYPE STRTST 548026790130303164 ERRMSG : Main problem: Sub problem message

=====================================
I want to create a table that have equal "548026790130303164" values in 2dn and and 3rd row.
need help in getting the right search query.

I want the three column table output like below:

548026790130303164 "MY_STR_METHOD_ACTION.COMPONENT" "ERRMSG : Main problem: Sub problem message"

kamlesh_vaghela · ‎09-29-2018

@bkumarm

you can use transaction command to co-relate events.
http://docs.splunk.com/Documentation/Splunk/7.1.3/SearchReference/Transaction

Can you please tell me in which field you are getting value 548026790130303164? So I can help you to design search.

bkumarm · ‎09-30-2018

I need a list of refids that have MY_STR_METHOD_ACTION and ERRMSG : Main problem: Sub problem message

Example:
2018:08:22:22:39:51.731 myhostname 3:INFO MY_IDENTIFIER1_TEST 548026790130303164 454
2018:08:22:22:39:51.731 myhostname 3:INFO MY_STR_METHOD_ACTION1.COMPONENT1 TEST 548026790130303164
2018:08:22:22:39:51.752 myhostname 1:ERR1 MY_SERVICE_TYPE STRTST 548026790130303164 ERRMSG : Main problem1: Sub problem message11

the output should be
548026790130303164 MY_STR_METHOD_ACTION1.COMPONENT1 ERRMSG : Main problem1: Sub problem message11

how to pass the output of one query as search key to a subsearch?

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7