Splunk Dev

Search from host 'A' (based on multiple values of a field of another search from host 'B')

song_jin99
New Member

Hi,

I have a question for searching.

I want to search from host 'A' (based on multiple values of a field of another search from host 'B').
In other words, I have a search result (values of field 'id') from host 'B' as below:
search query: host='B' "Test" | fields + id | table id

And I want to find results for all values of 'id' in host 'A'.

I tried sub-search, but it seems it only works for one value of a field. (I am newbie, maybe I might be wrong)
Can anyone provide any suggestion?

Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi song_jin99,
at first are you sure that:

  • id is present in both the searches,
  • id doesn't have spaces,
  • id is always in upper o lower case especially the last condition is very relevant in subsearch use.

if yes try something like this

index=your_index host=hostA [search index=your_index host=hostB | fields id ]

Bye.
Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi song_jin99,
at first are you sure that:

  • id is present in both the searches,
  • id doesn't have spaces,
  • id is always in upper o lower case especially the last condition is very relevant in subsearch use.

if yes try something like this

index=your_index host=hostA [search index=your_index host=hostB | fields id ]

Bye.
Giuseppe

gcusello
SplunkTrust
SplunkTrust

If this answer satisfies your question, please accept or upvote it.
Bye.
Giuseppe

0 Karma

song_jin99
New Member

Thanks Cusello

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...