Splunk Search

How to assign inner search returned value from source1 to outer search field from source2?

priyanka_yadav
New Member

How to assign inner search returned value from source1 to outer search field from source2?

Inner search:

index=apic component=faultInst |  eval cT = strptime(created, "%Y-%m-%dT%H:%M:%S.%3N") | eval early = relative_time(cT,"-1m") | eval c1 = strftime(early,"%m/%d/%Y:%H:%M")| table c1

Outer search:

index=apic component=aaaModLR |eval created=c1 | table created,affected

Here I want c1 value from inner search to get assigned to outer search, and based on the c1 value match, I need to print created and affected fields from the aaaModLR source.

Your help will be highly appreciated. Thank You!

Tags (2)
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi priyanka_yadav,

for multiple reasons you should not use join or subsearches, like the event limits and performance - get more details here https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo... or from the virtual .conf session of @sideview March 2016 http://wiki.splunk.com/Virtual_.conf

Back to your search; this should be pretty straight forward since you're only search in one index over one field:

 index=apic component=faultInst OR component=aaaModLR
| eval cT = if(component ="faultInst", eval(strptime(created, "%Y-%m-%dT%H:%M:%S.%3N")), null()) 
| eval early = if(component ="faultInst", eval(relative_time(cT,"-1m")), null()) 
| eval c1 = if(component ="faultInst", eval(strftime(early,"%m/%d/%Y:%H:%M")), null())
| eval created = if(component ="aaaModLR", c1, null())
| where created = c1
| table created, affected

This is un-tested and written up after only one coffee 😉

What it does is the following:

get all your results from the index match the component field

index=apic component=faultInst OR component=aaaModLR

the next steps are only executed if the component matches faultInst

| eval cT = if(component ="faultInst", eval(strptime(created, "%Y-%m-%dT%H:%M:%S.%3N")), null()) 
| eval early = if(component ="faultInst", eval(relative_time(cT,"-1m")), null()) 
| eval c1 = if(component ="faultInst", eval(strftime(early,"%m/%d/%Y:%H:%M")), null())

the next step is only executed if the component matches aaaModLR

| eval created = if(component ="aaaModLR", c1, null())

compare the fields values of created with c1

| where created = c1

return a table with created and affected only if created matches c1

| table created, affected

Hope this helps ...

cheers, MuS

MuS
SplunkTrust
SplunkTrust

Little update on this: It could be that you will have to add somewhere along the search a streamstats or filldown to provided the additional fields further down the search stream....but without real event examples it's hard to tell 😉

cheers, MuS

0 Karma

somesoni2
SplunkTrust
SplunkTrust

How many entries you'd get from inner search?
Could you provide more details on how value c1 be used on Outer search? How is field created and affected calculated generated?

0 Karma

patrick_muller
Explorer

what you want is join two search whit the same field/value ?
something like this?

index=apic component=faultInst |  eval cT = strptime(created, "%Y-%m-%dT%H:%M:%S.%3N") | eval early = relative_time(cT,"-1m") | eval c1 = strftime(early,"%m/%d/%Y:%H:%M")| table c1 | join c1 [ index=apic component=aaaModLR |eval created=c1 | table created,affected, c1]

http://docs.splunk.com/File:Join.png

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...