Hi !
I would like to have help with search.
I would like to pass the results from one search
search xxxxx|xxxxx
result:
a
b
c
d
e
to other search as
search field=a OR field=b OR field=c OR field=d OR field=e | xxxxx
Can this be done with append or do you need additional scripting?
Thanks,
Yu
Have a look at format. http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Format
You can do this by using a subsearch and calling format with custom parameters in order to alter the way the subsearch outputs its results.
[search ... | rename fieldA as field | fields field | format "(" "(" "OR" ")" "OR" ")"] | ...
Have a look at format. http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Format
You can do this by using a subsearch and calling format with custom parameters in order to alter the way the subsearch outputs its results.
[search ... | rename fieldA as field | fields field | format "(" "(" "OR" ")" "OR" ")"] | ...
Hello ayn and sideview.
This solution was what I was looking for!
Thank you very much!
Sideview
Do you mind if I ask the reason why should I not use the join command?
Hello sideview.
Thank you for the comment.
The stats command is just the filter for which record should I remain in use.
I will look into the format command.
definitely don't use join here. Also if you omit the format command from a subsearch entirely, splunk will sneak one in, and it'll be one with those exact same arguments. So you can simplify Ayn's answer by removing that format command entirely.
Also I'm not sure what your intention is with stats count(eval(diffSeq>0))
but since you're only using the distinct values anyway at the end, it's looks completely equivalent to
* [search index=test1_it OR index=test2_it
earliest="11/1/2013:0:0:0" latest="12/1/2013:0:0:0"
| dedup fieldA
| fields fieldA ]
Well I have to bit amend my words.
Since the parameters I am passing to the next search will be the results from the stats. Which means I can not use the fixed search commands , like format "(" "(" "OR" ")" "OR" ")"] .
So I thought I needed to use the join to merge the results.
That's simpler? o_O
Hi ayn.
I think I found more simpler way.
I would rather use join type=inner join
| join type=inner max=0 fieldA [
search index=test1_it OR index=test2_it earliest="11/1/2013:0:0:0" latest="12/1/2013:0:0:0"
| sort 0 +fieldA
| delta Seq as diffSeq p=1
| search diffSeq=*
| stats count(eval(diffSeq>0)) as cnt by fieldA
| fields fieldA ]
This is part of actual search.