Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use the result from first search into second search

younes17
Explorer
‎06-09-2017 05:02 AM

I have an first search that will find the software list
search index=index1 | table software

in the second search, i need use the result of first search to find the match result with "where" command.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-09-2017 07:50 AM

Try like this

index=index2 [search index=index1 | table fields1 | eval fields2="*".fields1."*" | table fields 2]  | table fields2

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-09-2017 07:50 AM

Try like this

index=index2 [search index=index1 | table fields1 | eval fields2="*".fields1."*" | table fields 2]  | table fields2
0 Karma
Reply
Solved! Jump to solution

younes17
Explorer
‎06-09-2017 05:48 AM

i have tow fields in the each index the first one fildes1 for index1 and second fields2 for index2

index=index2 [search index=index1|fields1] | where fields2 like "%fields1%" | table fields2

0 Karma
Reply
Solved! Jump to solution

reed_kelly
Contributor
‎06-09-2017 05:27 AM

You question is not very specific, so there are many answers depending on the context. Suppose you second search is "index=index2" and there is a field called software, then you could use a subsearch as follows:

index=index2 [search index=index1|fields software]

If the field in the second search is package instead of software, then you can do this:

index=index2 [search index=index1|rename software as package|fields package]
0 Karma
Reply
Solved! Jump to solution

younes17
Explorer
‎06-09-2017 05:57 AM

i have tow fields in the each index the first one fildes1 for index1 and second fields2 for index2

index=index2 [search index=index1|fields1] | where fields2 like "%fields1%" | table fields2

0 Karma
Reply
Solved! Jump to solution

reed_kelly
Contributor
‎06-09-2017 09:21 AM

I think you mistake the where command with the SQL where. They are two different things. To achieve what you are looking for with a subsearch, you can do the following:

index=index2 [search index=index1|eval fields2="*"+field1+"*"|fields field2]

Depending on what you are trying to achieve this can be made more efficient, but the "*" in search is similar to SQL '%'

0 Karma
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎06-09-2017 05:23 AM

A subsearch...

Usually/often used like

index=index2 [search index=index1 | table software]

If your subsearch returns "Office" and "Windows" then the entire search after running it becomes index=index2 AND (software=Office OR software=Windows).

If you specifically need to use where, it should still work the same.

index=index2  ... | where search [index=index1 | table software]

But, there are comparison cases where it gets just a tiny bit trickier. If you could provide the search you are actually using, it might be easier to get a really specific answer.

Reply
Solved! Jump to solution

younes17
Explorer
‎06-09-2017 05:51 AM

i have tow fields in the each index the first one fildes1 for index1 and second fields2 for index2

index=index2 [search index=index1|fields1] | where fields2 like "%fields1%" | table fields2

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...