Solved: subsearch from previous results

bijodev1 · ‎02-02-2022

I need to run three different queries based on the each respective results.

for example :

1) In the first one query : index * search | top result.

so let's say I pick the first result which is "abc"

2) In second query I use the first result and inject it in here

index=* search result=abc | top status

3) Use the second result and inject it in the third search

index=* search result=abc status=xyz | timechart count by "something"

I am not sure if there is easier way to do it or this would take more time and bandwidth. Any help would be really helpful. Need some guidance here.

ITWhisperer · ‎02-02-2022

Subsearches are execute first so try nesting the searches like this

index=* 
    [ search index=*
        [ search index=* 
        | top result
        | head 1
        | table result ]
    | top status result
    | head 1
    | table status result ]
| timechart count by "something"index=*

View solution in original post

bijodev1 · ‎02-03-2022

thank you @ITWhisperer it worked as expected.

ITWhisperer · ‎02-02-2022

Subsearches are execute first so try nesting the searches like this

index=* 
    [ search index=*
        [ search index=* 
        | top result
        | head 1
        | table result ]
    | top status result
    | head 1
    | table status result ]
| timechart count by "something"index=*

subsearch from previous results

field extraction

regex

subsearch

timechart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation