Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

search a result and then a field value create array and pass 1 by 1 in another search query at same time

varunawasthi9
New Member
‎07-29-2019 12:35 PM

Hi All,

is this doable that a search request give a list of results in that a filed will have order id those are list of order ids and those need to pass 1 by 1 on next Query

Eg

first search gives me

1 abc
2 efg
3 eeg

from thay pass 1 by 1 in another search at the same time

like index=xyz 1 create

0 Karma
Reply

varunawasthi9
New Member
‎07-29-2019 02:08 PM

And if adding to above I need that from the array list if something not present from the list how to achieve that

0 Karma
Reply

jacobpevans
Motivator
‎07-29-2019 02:26 PM

You would need to start with a search that returns all possible values and join that to your search. In our environment, this is generally a lookup. Here's an example that you can try in your environment.

| makeresults count=10
| eval product_id=random()%10+1
| join type=left max=0 product_id [
    | makeresults count=10
    | eval product_id=random()%5+1
    | stats count by product_id ]
| fillnull

Using @solarboyz1 's example, it would look something like the command below where the "product_ids" lookup has a column called "product_id".

| inputlookup product_ids
| join type=left max=0 product_id [
    | search index=sales
    | stats sum(sales) as sales by product_id
    | map search="search index=product_details id=$product_id$" ]
| fillnull
Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Reply

solarboyz1
Builder
‎07-29-2019 01:49 PM

IIt sounds like map is the command you are looking for: https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Map

It sounds like you would like to do something like

index=sales | stats sum(sales) as sales by product_id | map search="search index=product_details id=$product_id$"

Each product_id returned by the search:

 index=sales | stats sum(sales) as sales by product_id

Will be run through the search

index=product_details id=$product_id$
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-29-2019 12:59 PM

Can you explain in more detail your use case? What you describe could be an example of subsearch or map (or something else), but we need more information.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...