Hi all,
I have 2 queries, from one i get a list of files and the other query should use these files as their source to get some results. The output of first queries may have a lot files and i want to use all of them together in the second query. Does anyone have idea of how to do this one?
Hi @anooshac,
please see my approach and adapt it to your use Case:
index=abc [ | search
index=abc source=.......
| rex field=source "/A/B/C/(?<project_name>[^/]*)/(?<project_name_file>[^/]*)"
| stats latest(project_name_file) AS source BY project_name
| fields source
]
| dedup name
| chart count(name) as count by "Number"
in few words, using the first search to filter the second search results, you have to put the first search in a subsearch, then be sure that the key field has the same name in both main and subsearch: for this reason I renamed latest(project_name_file) AS source.
Beware if the project_name_file has or not the full path that you should have in the source field of the main search.
Ciao.
Giuseppe
Hi @anooshac,
you could try something like this:
your_search_1 [ search your_search_2 | fields source ]
| ...
If you could share both your searches I could be more detailed.
Ciao.
Giuseppe
hi, this is the first query i m using to get the files. I want the recent file uploaded of the project. This will give the recent file name with the project name. I don't know if this is the right method to get recent file.
index=abc source=.......|rex field=source "/A/B/C/(?<project_name>[^/]*)/(?<project_name_file>[^/]*)" |stats latest(project_name_file) by project_name
The result will be having many files. I want to use all these files in another query.
index=abc source="All the files from previous query"|dedup name| chart count(name) as count by "Number"
I am not sure how to use all the files as source.
Hi @anooshac,
please see my approach and adapt it to your use Case:
index=abc [ | search
index=abc source=.......
| rex field=source "/A/B/C/(?<project_name>[^/]*)/(?<project_name_file>[^/]*)"
| stats latest(project_name_file) AS source BY project_name
| fields source
]
| dedup name
| chart count(name) as count by "Number"
in few words, using the first search to filter the second search results, you have to put the first search in a subsearch, then be sure that the key field has the same name in both main and subsearch: for this reason I renamed latest(project_name_file) AS source.
Beware if the project_name_file has or not the full path that you should have in the source field of the main search.
Ciao.
Giuseppe
I am getting as no results found. Will i be able to use this query if the inner query has more than 1 file as output? Is it because of that giving as no results found?
Hi @anooshac,
as I said in my previous answer, probably the problem in in the format of the results, you should check the results of the two queries and see if they have the same format, e.g. have both the full path or not?
If they are different you have to modify the search to adapt to the different formats: e.g. use an asterisk or delete the full path and leave only the filename.
Ciao.
Giuseppe
Sorry.. missed that part. It is working fine now. Thanks a lot for the help!
Hi @anooshac,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉