Splunk Search

How initiate second search after getting field values from my first search?

BenTreeser
Explorer

I have two different searches. How do I concatenate them?

Search 1:

string1 | rex field=_raw "{(?\d+)"

Search 2:

string2 | rex field=_raw "needed * (?\d+)" | search runtime>5000

string1 != string2. What I want is to filter the results of search 2 by the item IDs found by search 1. How do I do it?

Tags (2)
0 Karma
1 Solution

markthompson
Builder

Hi Ben,
This is known as Sub-Searching, please see the link below which is the documentation for Sub searches.

http://docs.splunk.com/Documentation/Splunk/6.2.1/Search/Aboutsubsearches

Hope it helps

View solution in original post

markthompson
Builder

Hi Ben,
This is known as Sub-Searching, please see the link below which is the documentation for Sub searches.

http://docs.splunk.com/Documentation/Splunk/6.2.1/Search/Aboutsubsearches

Hope it helps

BenTreeser
Explorer

Helped me partly. Thanks

what I needed is furthermore was way of how to filter by all found field values. For this it is essential to differ between "rename my_field" as search and "rename my_field as query".

So the resulting query in my case would be:

string2* [|search string1 | rex field=_raw "{(?<my_field>-*\d+)"| rename my_field as query | fields query]* | rex field=_raw "needed * (?<runtime>\d+)" | search runtime>5000

markthompson
Builder

Hi Ben,
Glad it helped.

Please vote up!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...