Splunk Search

How to use the result from an index of the 1st search as input to return results from another index in a 2nd search?

shreyasathavale
Communicator

I am getting output for max hits at particular date and hour for a 1st search having index=iis. Now i want the date and hour from the 1st search to be input for 2nd search to find result for index=perfmon and show output fields of both searches.

Is it possible?

Tags (2)
0 Karma

woodcock
Esteemed Legend

You need the map command, like this:

first search that generates a list of events that have the "_time" values you need | map search = "search earliest>(_time-60) latest<(time+60) some other search"

You can also use the FOREACH command.

shreyasathavale
Communicator

I am trying this..Meanwhile could you please tell if it is possible:

1st query output:
date_hour date_mday
4 15

2nd query output using hour and day of 1st query ouput
host counter avg(Value)
1552 % Processor Time 20.611920

I want
date_hour date_mday host counter avg(Value)
4 15 ms.. .... ...

0 Karma

woodcock
Esteemed Legend

OK, I think you are asking for something different than is implied by your original text. It sounds like you are trying to do a join (merge) by host. If so, try this:

(first query here | eval datehour=date_hour | eval datemday=date_mday) OR (second query here) | stats avg(Value) values(counter) AS counter values(datehour) AS datehour values(datemday) AS datemday by host
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...