Splunk Search

search on subsearch using data from main search results

taufiqkpi
Loves-to-Learn

hello Splunkers!
I've got an issue with this query, in "main search" I got data src, can I use "src" to get data on my "second search".
later on, the final result ignored from "main search "
anyone can help me?
thanks,

index=VPN | table src -> main search
    [search index=firewall | table src dest_ip] -> second search
    | table src dest_ip

 

Labels (2)
Tags (3)
0 Karma

scelikok
Influencer

So, my search should work for you.

If this reply helps you an upvote is appreciated.
0 Karma

scelikok
Influencer

Hi @taufiqkpi,

I think you want to filter VPN sources from Firewall index, please try below;

search index=firewall NOT 
    [ index=VPN 
    | fields src] 
| table src dest_ip
If this reply helps you an upvote is appreciated.
0 Karma

taufiqkpi
Loves-to-Learn

Sory sir @scelikok, I mean from main search we get src fields.

 

index=VPN | table src

 

after this, fileds src from "main search" as search data to "second search"

 

[search src="from data main search" index=firewall | table src dest_ip]
    | table src dest_ip

 

 

Tags (3)
0 Karma