Splunk Search

How to use files got as results from one query as source in another query?

anooshac
Communicator

Hi all,

I have 2 queries, from one i get a list of files and the other query should use these files as their source to get some results. The output of first queries may have a lot files and i want to use all of them together in the second query. Does anyone have idea of how to do this one?

Labels (3)
Tags (3)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @anooshac,

please see my approach and adapt it to your use Case:

index=abc [ | search 
     index=abc source=.......
     | rex field=source "/A/B/C/(?<project_name>[^/]*)/(?<project_name_file>[^/]*)" 
     | stats latest(project_name_file) AS source BY project_name
     | fields source
     ]
| dedup name
| chart count(name) as count by "Number"

in few words, using the first search to filter the second search results, you have to put the first search in a subsearch, then be sure that the key field has the same name in both main and subsearch: for this reason I renamed latest(project_name_file) AS source.

Beware if the project_name_file has or not the full path that you should have in the source field of the main search.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @anooshac,

you could try something like this:

your_search_1 [ search your_search_2 | fields source ]
| ...

If you could share both your searches I could be more detailed.

Ciao.

Giuseppe

0 Karma

anooshac
Communicator

hi, this is the first query i m using to get the files. I want the recent file uploaded of the project. This will give the recent file name with the project name. I don't know if this is the right method to get recent file.

index=abc source=.......|rex field=source "/A/B/C/(?<project_name>[^/]*)/(?<project_name_file>[^/]*)" |stats latest(project_name_file) by project_name

The result will be having many files. I want to use all these files in another query.

index=abc source="All the files from previous query"|dedup name| chart count(name) as count by "Number"

I am not sure how to use all the files as source.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @anooshac,

please see my approach and adapt it to your use Case:

index=abc [ | search 
     index=abc source=.......
     | rex field=source "/A/B/C/(?<project_name>[^/]*)/(?<project_name_file>[^/]*)" 
     | stats latest(project_name_file) AS source BY project_name
     | fields source
     ]
| dedup name
| chart count(name) as count by "Number"

in few words, using the first search to filter the second search results, you have to put the first search in a subsearch, then be sure that the key field has the same name in both main and subsearch: for this reason I renamed latest(project_name_file) AS source.

Beware if the project_name_file has or not the full path that you should have in the source field of the main search.

Ciao.

Giuseppe

anooshac
Communicator

I am getting as no results found. Will i be able to use this query if the inner query has more than 1 file as output? Is it because of that giving as no results found?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @anooshac,

as I said in my previous answer, probably the problem in in the format of the results, you should check the results of the two queries and see if they have the same format, e.g. have both the full path or not?

If they are different you have to modify the search to adapt to the different formats: e.g. use an asterisk or delete the full path and leave only the filename.

Ciao.

Giuseppe

0 Karma

anooshac
Communicator

Sorry.. missed that part. It is working fine now. Thanks a lot for the help!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @anooshac,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...