Splunk Search

use a result value, as fieldname in subsearch

Builder

I have a first search, that return "system1"

Then I want to use that value, to get the appropriate value out of a subsearch timechart :

first restult :
system
system1

second result :
system1 system2 system3
_time 1 2 3
_time 4 5 4
_time 4 4 4

How could I do that ?
is there a way to put the first result in a parameter, that could be used in the subsearch as fieldname ?

index=myfirstquery | table system | subsearch [ _time=$_time$ | eval myValue=fieldName[$system$]]

0 Karma
1 Solution

Ultra Champion

I think you might be able to turn it around, making the so-called first search the subsearch;

second_search_terms [search first_search_terms | dedup system | fields + system] | further_processing

search_terms would be stuff like earliest / latest, index, sourcetype etc.

The idea is that the inner search will (via the fields + command) only return the field system, so that the outer search will effectively look like;

second_search_terms (system=aaa OR system=bbb or system=ccc) | further_processing

I think that this is what you're after.

EDIT: Fixed a typo

/K

View solution in original post

Ultra Champion

I think you might be able to turn it around, making the so-called first search the subsearch;

second_search_terms [search first_search_terms | dedup system | fields + system] | further_processing

search_terms would be stuff like earliest / latest, index, sourcetype etc.

The idea is that the inner search will (via the fields + command) only return the field system, so that the outer search will effectively look like;

second_search_terms (system=aaa OR system=bbb or system=ccc) | further_processing

I think that this is what you're after.

EDIT: Fixed a typo

/K

View solution in original post

Ultra Champion

well, return and fields are pretty similar in effect

0 Karma

Builder

I know pretty well how subsearch work, that doesn't help, but maybe is return what I'm searching for
http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Return

I think change subsearch order like Kristian suggested + return function should do the job

0 Karma

Legend

Builder

I'm not sure if this is bringing me further, where did you pass the fieldname to the second search part ?
If one of the search is returning "system1" as result, I have to read the content of the "system1" field in the second part...

0 Karma

Legend

You can never pass variables from outer searches to subsearches, because subsearches run before outer searches and as such cannot read values that haven't been extracted/evaluated in the outer searches yet.

Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!