Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Parse a value and then use that as new query to search?

zakirhere
New Member
‎02-20-2023 03:28 PM

Hi,

I have an unusual scenario for the data I am working with and would like to see if it's even possible to extract data this way. In brief, I parsed a value from my initial search query to a variable using rex and now I want to use only that value as new query instead of sub-query.

Workflow:

  1. Find all successful test runs for a suite (this is a long query)
  2. Find reporting_url via event on each run 
  3. Parse uuid from reporting_url (I used rex on raw data and saved it on variable like res_uuid)
  4. Search only that uuid as that has multiple test_id records showing count of Pass/Fail counts.
  5. (Eventually create a graph for the same)

Trying to make a simple example:

First query -> Gives test suite level record. Parse to get UUID value

Second query -> Independent query using that UUID and then use that for making graph. Please note that 2nd query results not linked with 1st query and sub-search will only give one record. 

 

 

(Apologies if it's a very common workflow but I was not able to search it easily)

 

Labels (4)
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎02-20-2023 09:33 PM

Hi @zakirhere,

You can append the new UUID value to a lookup, your second search use that lookup for the graph.

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

zakirhere
New Member
‎02-21-2023 12:16 PM

Lookup on that result only shows results from the parent level (meaning same result). I checked in other groups and looks like I have to use some external programming language to pass these variable values and start a new query.

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...