I am trying to perform a "for loop" splunk style, with two sources: source1 , source2. The searches right now looks like this:
1. source="source1" param1=value1 param2=value2 | stats values(token). I need the token for the next :
2. source="source2" param4="*" token
I tried ( but returns error: "Error in 'map': Did not find value for required attribute 'token":
source="source1" param1=value1 param2=value2 | stats values(token) |
map maxsearches=10 search="search source="source2" param4="*" token=$token$ |
stats values(param4) by token "
Where am I wrong, and is there a way to optimize this ?
I tried source1 OR source2, but then I need multiple OR ( AND ( OR))) clauses to match multiple needed parameters.
Thanks in advance,
The working solution looks like this (note, results may vary, depending on what fields you have extracted) :
index=common_index source=source2 param5 param4="*"
[
search index=common_index source=source1 param1=value1 param2=value2
|stats values(token) as omg
|rename omg as query
]
| stats values(param4) by token
This thing returns results like so :
param4_value1 token1
param4_value2 token2
param4_value2 token3
etc.
martin_mueller, thanks one more time for helping 🙂
You're basically trying to use results from one search to filter the next? No problem with subsearches:
source="source2" param4="*" [search source="source1" param1=value1 param2=value2 | fields token | dedup token]
Open the job inspector to see the expression being returned by the subsearch, it'll be a huge ((OR))-behemoth.
Do post the exact search you're running and the debug info shown at the top of the job inspector.
That's exactly what the search-subsearch combo in my answer does.
The " [ inner search ] " returns the token alright , however it seems that the outer one doesn't understand the token provided ... I accepted your answer, as it seems the problem is related to my splunk instance 🙂
Do both sources have an extracted field token
?
Sorry for the delay.
Yes, both searches have "token" extracted.
I can manually perform search1- copy/paste "token" in search2, but I'd like to automate.
True, but your way doesn't seem to be working.
The way I tried to do it , search 1 would return a list or single token like so:
tok_en1
tok_en2
What search 2 does is, foreach tok_en* get logged error message. It seems I need more time