Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use values from one search to another search?

batuhankutluca
Explorer
‎03-18-2019 06:53 AM

Hello,
I have a certain search that returns me many fields with values. Next thing I wanna do is get values of "src_ip" field and use them on an other search. I assume I can do that with a subsearch but I it is a bit cost. Other solution I thought was upload the first search's output as csv and get values form lookup but I'm not allowed to upload lookups. Can someone help me about that? Thanks.
(TLDR - Don't wanna use subsearch, need a solution.)

Ex Search: sourcetype=xxx | table src_ip -> sourcetype=yyy srcip=$src_ip$

Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎03-18-2019 07:06 AM

Hi @batuhankutluca
You don't need to upload a CSV, you can create one on-the-fly like this:

sourcetype=xxx | table src_ip dvc|outputlookup ip_to_dvc.csv

Then you can do:

sourcetype=yyy |lookup ip_to_dvc.csv src_ip as srcip OUTPUT dvc
If my comment helps, please give it a thumbs up!

View solution in original post

Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎03-18-2019 07:06 AM

Hi @batuhankutluca
You don't need to upload a CSV, you can create one on-the-fly like this:

sourcetype=xxx | table src_ip dvc|outputlookup ip_to_dvc.csv

Then you can do:

sourcetype=yyy |lookup ip_to_dvc.csv src_ip as srcip OUTPUT dvc
If my comment helps, please give it a thumbs up!
Reply
Solved! Jump to solution

batuhankutluca
Explorer
‎03-18-2019 07:09 AM

So this doesn't work like subsearch right ? It saves the output of the first search to somewhere and get values for the second search from there ?

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎03-18-2019 07:15 AM

Correct, you can run this as two different searches.
This is commonly done to generate a lookup file once a day/hour etc, so you can then use it it subsequent searches.

If you wanted to run all the elements at once, there are a number of ways - subsearch as you have mentioned (but ruled out) a 'join' (also performance sucking), or couple of options with a event/stream stats commands, or even with an append.

Personally, I like the separate lookup option, but it all depends on your uses case.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

batuhankutluca
Explorer
‎03-18-2019 07:24 AM

Oh It fits for my problem then. Yeah as You mentioned that join and subsearch consume much resource. This method is just I wanted. Thanks sir!

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...