Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Use field from one source to query another source

mdacutanan
New Member
‎09-27-2013 03:48 PM

I am fairly new to Splunk and have had no formal training. I am having difficult time to take a field from one source as input to search another source.

Here is my first query:

index=ivr sourcetype=ivr_history [search sourcetype=ivr_history "2062401185"| fields sidnum host]| stats values(sessID2) by host sidnum

OUTPUT of query above shows host, sidnum and sessID2. Now, I want to search another source called ivr_sef. I want to use sessID2 to search source ivr_sef. if found, return the field 'id' (which should actually be same as sessID2).

I modified my first query to this query below but the output for the id field comes out empty! I do know for a fact that the sessID value does exist in source ivr_sef (inside field id) because I have search it manually and separately beforehand. Please help!

index=ivr sourcetype=ivr_history OR ivr_sef [search sourcetype=ivr_history "2062401185"| fields sidnum host]| eval common=coalesce(sessID2, id)|stats values(sessID2) values(id) by host sidnum

Tags (1)
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎09-27-2013 06:21 PM

your approach is the good one :
use the result of a sub search to populate search conditions of the main search

conditionA=A [search othersearch| table conditionB]
will become an equivalent of
conditionA=A AND (conditionB=B1 OR conditionB=B2 OR ..... OR conditionB=Bx )

so you may have a field has different name in your 2 searches. (id or sidnum). You should attach a sample, and the the result of the sub search.

0 Karma
Reply

mdacutanan
New Member
‎09-27-2013 08:23 PM

hello yannk!my first query (source ivr_history), I need the output to show host, sidnum & sessID. I am able to achieve this using this query:
index=ivr sourcetype=ivr_history [search sourcetype=ivr_history "some data"| fields sidnum host sessID2]| table sidnum host sessID2| dedup sidnum host sessID2

The 2nd query has a different source:ivr_sef.
manually, i would run the query above and copy the sessID2 value and paste it into this query:
index=ivr sourcetype=ivr_sef "pasted sessID value here"| table id
What I want to achieve is combine these 2 queries and remove the manual copy paste.
Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...