I have a first search, that return "system1"
Then I want to use that value, to get the appropriate value out of a subsearch timechart :
first restult :
system
system1
second result :
system1 system2 system3
_time 1 2 3
_time 4 5 4
_time 4 4 4
How could I do that ?
is there a way to put the first result in a parameter, that could be used in the subsearch as fieldname ?
index=myfirstquery | table system | subsearch [ _time=$_time$ | eval myValue=fieldName[$system$]]
I think you might be able to turn it around, making the so-called first search the subsearch;
second_search_terms [search first_search_terms | dedup system | fields + system] | further_processing
search_terms would be stuff like earliest / latest, index, sourcetype
etc.
The idea is that the inner search will (via the fields +
command) only return the field system
, so that the outer search will effectively look like;
second_search_terms (system=aaa OR system=bbb or system=ccc) | further_processing
I think that this is what you're after.
EDIT: Fixed a typo
/K
I think you might be able to turn it around, making the so-called first search the subsearch;
second_search_terms [search first_search_terms | dedup system | fields + system] | further_processing
search_terms would be stuff like earliest / latest, index, sourcetype
etc.
The idea is that the inner search will (via the fields +
command) only return the field system
, so that the outer search will effectively look like;
second_search_terms (system=aaa OR system=bbb or system=ccc) | further_processing
I think that this is what you're after.
EDIT: Fixed a typo
/K
well, return
and fields
are pretty similar in effect
I know pretty well how subsearch work, that doesn't help, but maybe is return what I'm searching for
http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Return
I think change subsearch order like Kristian suggested + return function should do the job
Read up on how subsearches work. http://docs.splunk.com/Documentation/Splunk/5.0.2/Tutorial/Useasubsearch
I'm not sure if this is bringing me further, where did you pass the fieldname to the second search part ?
If one of the search is returning "system1" as result, I have to read the content of the "system1" field in the second part...
You can never pass variables from outer searches to subsearches, because subsearches run before outer searches and as such cannot read values that haven't been extracted/evaluated in the outer searches yet.