Splunk Search

subsearch from previous results

bijodev1
Communicator

I need to run three different queries based on the each respective results. 

for example :

1) In the first one query : index * search | top result. 

so let's say I pick the first result which is "abc"

2) In second query I use the first result and inject it in here

index=* search result=abc | top status

3) Use the second result and inject it in the third search

index=* search result=abc status=xyz | timechart count by "something"

 

I am not sure if there is easier way to do it or this would take more time and bandwidth. Any help would be really helpful. Need some guidance here.

Labels (4)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Subsearches are execute first so try nesting the searches like this

index=* 
    [ search index=*
        [ search index=* 
        | top result
        | head 1
        | table result ]
    | top status result
    | head 1
    | table status result ]
| timechart count by "something"index=* 

View solution in original post

bijodev1
Communicator

thank you @ITWhisperer  it worked as expected.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Subsearches are execute first so try nesting the searches like this

index=* 
    [ search index=*
        [ search index=* 
        | top result
        | head 1
        | table result ]
    | top status result
    | head 1
    | table status result ]
| timechart count by "something"index=* 
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...