Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

use a result value, as fieldname in subsearch

sbsbb
Builder
‎09-02-2013 06:04 AM

I have a first search, that return "system1"

Then I want to use that value, to get the appropriate value out of a subsearch timechart :

first restult :
system
system1

second result :
system1 system2 system3
_time 1 2 3
_time 4 5 4
_time 4 4 4

How could I do that ?
is there a way to put the first result in a parameter, that could be used in the subsearch as fieldname ?

index=myfirstquery | table system | subsearch [ _time=$_time$ | eval myValue=fieldName[$system$]]

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎09-02-2013 06:59 AM

I think you might be able to turn it around, making the so-called first search the subsearch;

second_search_terms [search first_search_terms | dedup system | fields + system] | further_processing

search_terms would be stuff like earliest / latest, index, sourcetype etc.

The idea is that the inner search will (via the fields + command) only return the field system, so that the outer search will effectively look like;

second_search_terms (system=aaa OR system=bbb or system=ccc) | further_processing

I think that this is what you're after.

EDIT: Fixed a typo

/K

View solution in original post

Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎09-02-2013 06:59 AM

I think you might be able to turn it around, making the so-called first search the subsearch;

second_search_terms [search first_search_terms | dedup system | fields + system] | further_processing

search_terms would be stuff like earliest / latest, index, sourcetype etc.

The idea is that the inner search will (via the fields + command) only return the field system, so that the outer search will effectively look like;

second_search_terms (system=aaa OR system=bbb or system=ccc) | further_processing

I think that this is what you're after.

EDIT: Fixed a typo

/K

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎09-05-2013 05:41 AM

well, return and fields are pretty similar in effect

0 Karma
Reply
Solved! Jump to solution

sbsbb
Builder
‎09-05-2013 04:37 AM

I know pretty well how subsearch work, that doesn't help, but maybe is return what I'm searching for
http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Return

I think change subsearch order like Kristian suggested + return function should do the job

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎09-03-2013 12:24 AM

Read up on how subsearches work. http://docs.splunk.com/Documentation/Splunk/5.0.2/Tutorial/Useasubsearch

Reply
Solved! Jump to solution

sbsbb
Builder
‎09-02-2013 10:23 PM

I'm not sure if this is bringing me further, where did you pass the fieldname to the second search part ?
If one of the search is returning "system1" as result, I have to read the content of the "system1" field in the second part...

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎09-02-2013 06:08 AM

You can never pass variables from outer searches to subsearches, because subsearches run before outer searches and as such cannot read values that haven't been extracted/evaluated in the outer searches yet.

Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...