Re: search on subsearch using data in main search ...

taufiqkpi · ‎04-04-2021

hello Splunkers!
I've got an issue with this query, in "main search" I got data src, can I use "src" to get data on my "second search".
later on, the final result ignored from "main search "
anyone can help me?
thanks,

index=VPN | table src -> main search
    [search index=firewall | table src dest_ip] -> second search
    | table src dest_ip

scelikok · ‎04-04-2021

So, my search should work for you.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

taufiqkpi · ‎04-21-2021

Sorry this solution not solving my problem

scelikok · ‎04-04-2021

Hi @taufiqkpi,

I think you want to filter VPN sources from Firewall index, please try below;

search index=firewall NOT 
    [ index=VPN 
    | fields src] 
| table src dest_ip

If this reply helps you an upvote and "Accept as Solution" is appreciated.

taufiqkpi · ‎04-04-2021

Sory sir @scelikok, I mean from main search we get src fields.

index=VPN | table src

after this, fileds src from "main search" as search data to "second search"

[search src="from data main search" index=firewall | table src dest_ip]
    | table src dest_ip

search on subsearch using data from main search results

join

subsearch

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

Detect and Resolve Issues in a Kubernetes Environment