Re: How to use the result from an index of the 1st...

shreyasathavale · ‎06-18-2015

I am getting output for max hits at particular date and hour for a 1st search having index=iis. Now i want the date and hour from the 1st search to be input for 2nd search to find result for index=perfmon and show output fields of both searches.

Is it possible?

woodcock · ‎06-18-2015

You need the map command, like this:

first search that generates a list of events that have the "_time" values you need | map search = "search earliest>(_time-60) latest<(time+60) some other search"

You can also use the FOREACH command.

shreyasathavale · ‎06-18-2015

I am trying this..Meanwhile could you please tell if it is possible:

1st query output:
date_hour date_mday
4 15

2nd query output using hour and day of 1st query ouput
host counter avg(Value)
1552 % Processor Time 20.611920

I want
date_hour date_mday host counter avg(Value)
4 15 ms.. .... ...

woodcock · ‎06-18-2015

OK, I think you are asking for something different than is implied by your original text. It sounds like you are trying to do a join (merge) by host. If so, try this:

(first query here | eval datehour=date_hour | eval datemday=date_mday) OR (second query here) | stats avg(Value) values(counter) AS counter values(datehour) AS datehour values(datemday) AS datemday by host

How to use the result from an index of the 1st search as input to return results from another index in a 2nd search?

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability