Search for A then use all of A and search for B

tb582 · ‎04-07-2012

I'm looking to find everything that has the string "Task Failed". I want splunk to get the task_id and then use all those task_id's for another search which looks for different strings but only ones that also have the ID's it found in the initial search.

kristian_kolb · ‎04-07-2012

I think a subsearch would do the trick for you;

Assuming that you have sourcetype_A containing the task_id's you look for, and sourcetype_B is where you want to search for different_string where the task_id matches.

sourcetype=sourcetype_B different_string=* [search sourcetype_A "Task failed" | fields + task_id]

the subsearch finds all events with "Task failed", and returns;

task_id=X OR task_id=Y OR task_id=Z

i.e. all task_id's found, and they are passed as parameters to the outer search.

http://docs.splunk.com/Documentation/Splunk/latest/User/HowSubsearchesWork

Hope this helps,

Kristian

kristian_kolb · ‎04-08-2012

Thank you for that pointer gkanapathy. Seems much simpler to use 'return'... hadn't really looked at it.

tb582, did you get the search to work the way you wanted?

/k

gkanapathy · ‎04-07-2012

then just use the same sourcetype name in both places. however, i would recommend using instead of fields, the new return command, as return 10000 task_id. This basically combines fields with dedup, and makes explicit the number of task_ids max that will be considered.

tb582 · ‎04-07-2012

its the same source type

Search for A then use all of A and search for B

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life