Hi @sekhar463, I suppose that "Node" from the second search is the hostname of the first and that you want to use the Node from the second as kay to filter the first search. If this is true, you ca...
See more...
Hi @sekhar463, I suppose that "Node" from the second search is the hostname of the first and that you want to use the Node from the second as kay to filter the first search. If this is true, you can use the second search as a subsearch of the first, renaming the field, something like this: index=_internal sourcetype=splunkd source="/opt/splunk/var/log/splunk/metrics.log" group=tcpin_connections os=Windows [ search index=ivz_em_solarwinds source="solwarwinds_query://Test_unmanaged_Nodes_Data" | table Node Account Status From Until | dedup Node | rename Node AS hostnae | fields hostname ]
| dedup hostname
| eval age=(now()-_time)
| eval LastActiveTime=strftime(_time,"%y/%m/%d %H:%M:%S")
| eval Status=if(age< 3600,"Running","DOWN")
| rename age AS Age
| eval Age=tostring(Age,"duration")
| lookup 0010_Solarwinds_Nodes_Export Caption as hostname OUTPUT Application_Primary_Support_Group AS CMDB2_Application_Primary_Support_Group,
Application_Primary AS CMDB2_Application_Primary, Support_Group AS CMDB2_Support_Group NodeID AS SW2_NodeID Enriched_SW AS Enriched_SW2
Environment AS CMDB2_Environment
| eval Assign_To_Support_Group=if(Assign_To_Support_Group_Tag="CMDB_Support_Group", CMDB2_Support_Group, CMDB2_Application_Primary_Support_Group)
| table _time, hostname,sourceIp, Status, LastActiveTime, Age, SW2_NodeID,Assign_To_Support_Group, CMDB2_Support_Group,CMDB2_Environment
| where Status="DOWN" AND NOT isnull(SW2_NodeID) AND CMDB2_Environment="Production"
| sort 0 hostname This solution has only one limitation: the subsearch can have max 50,000 results. Ciao. Giuseppe