Solved: How do I pass the output of first search to the su...

ruth091 · ‎09-25-2018

I have an index="summary" where it captures both success connections and error connections.

I need to get the connection ID for those Error connections and with the output of this search (connection ID) need to subsearch in the same index to get the source IP.

CONNID value is the list. For each CONNID need to pass to the subsearch.

I used this query:

index=summary  sourcetype=ldap_log    eventtype=nix_errors | fields CONNID    | rename CONNID As cid |  map    search="search index=summary     sourcetype=ldap_log ID=$con_id$    src_ip"

It returns null value, but when i executed separately it works.

Vijeta · ‎09-25-2018

If you are running on dashboard XML, use $$ instead of $. Also you have renamed CONNID as cid, so that should be used in subserach instead of con_id.
If it is a string then needs to be escaped as, ID=\"$cid$\" , if on dashboard XML use ID=\"$$cid$$\"

View solution in original post

Vijeta · ‎09-25-2018

If you are running on dashboard XML, use $$ instead of $. Also you have renamed CONNID as cid, so that should be used in subserach instead of con_id.
If it is a string then needs to be escaped as, ID=\"$cid$\" , if on dashboard XML use ID=\"$$cid$$\"

How do I pass the output of first search to the subsearch in the same index?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor