Solved: subsearch from previous results

bijodev1 · ‎02-02-2022

I need to run three different queries based on the each respective results.

for example :

1) In the first one query : index * search | top result.

so let's say I pick the first result which is "abc"

2) In second query I use the first result and inject it in here

index=* search result=abc | top status

3) Use the second result and inject it in the third search

index=* search result=abc status=xyz | timechart count by "something"

I am not sure if there is easier way to do it or this would take more time and bandwidth. Any help would be really helpful. Need some guidance here.

ITWhisperer · ‎02-02-2022

Subsearches are execute first so try nesting the searches like this

index=* 
    [ search index=*
        [ search index=* 
        | top result
        | head 1
        | table result ]
    | top status result
    | head 1
    | table status result ]
| timechart count by "something"index=*

View solution in original post

bijodev1 · ‎02-03-2022

thank you @ITWhisperer it worked as expected.

ITWhisperer · ‎02-02-2022

Subsearches are execute first so try nesting the searches like this

index=* 
    [ search index=*
        [ search index=* 
        | top result
        | head 1
        | table result ]
    | top status result
    | head 1
    | table status result ]
| timechart count by "something"index=*

subsearch from previous results

field extraction

regex

subsearch

timechart

Fun with Regular Expression - multiples of nine

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?