×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
lnetherton
Engager
Member since: ‎04-18-2012
‎06-05-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 10
Member Since ‎04-18-2012
Activity Feed
View All

Re: Search based on results of another search?

by in Splunk Search
‎03-06-2014 09:03 AM
8 Karma
‎03-06-2014 09:03 AM
8 Karma
Actually, I've figured it out. I needed to use the fields operator to specifically select only the field that I want to use to search ( search_id in my case). I also misunderstood the way that subsearches work -- it is important to know that the subsearch is evaluated first, and the result used to augment the outer search. This search term ended up doing what I wanted: sourcetype=catalina* [ search sourcetype=catalina* eventtype=search_fail | fields + search_id ] It was useful to know that the sub-search operation implicitly appends a | format operator on to the end. Combined with the fields + search_id operation, the sub-search term is effectively expanded to something like this: sourcetype=catalina* ( ( search_id="530959" ) OR ( search_id="529947" ) OR ( search_id="529938" ) OR ( search_id="529919" ) OR ( search_id="529793" ) OR ( search_id="529792" ) OR ( search_id="529568" ) OR ( search_id="529559" ) ) which of course produces the output that I was after. ... View more

Search based on results of another search?

by in Splunk Search
‎03-06-2014 08:37 AM
2 Karma
‎03-06-2014 08:37 AM
2 Karma
Is it possible to perform a search on a whole dataset using a subset of terms from a previous search? For example, I have a search that yields all the failed transactions based on an event type: sourcetype=catalina* eventtype=search_fail I get back rows in the following form: Mar 6, 2014 12:24:38 AM api.core.helper.LogHelper severe SEVERE: There was an error for search_id=530959 These rows all contain a search_id number. I would like to then initiate a new search for any search_id equal to these values, so that I can see all events leading up to these failures. Is that possible? I have tried various things like: sourcetype=catalina* eventtype=search_fail | search search_id sourcetype=catalina* eventtype=search_fail | search search_id=search_id sourcetype=catalina* eventtype=search_fail [ search search_id ] ... But nothing seems to do what I am after. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from