Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to send the output of one sourcetype into another

nidhi6
New Member
‎09-06-2016 04:40 AM

Hi,

I am trying to run a search query wherein where in output of one query acts as inupt for the following query.
Please help me with the syntax.
Also,please let me know how can i view the second query resul in dashbaord. (Means when i click on visualization i should be redirected towards the second query dashboard.

Please help.

Thanks & Regards,
Nidhi Gupta

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎09-06-2016 08:03 AM

..I am trying to run a search query wherein where in output of one query acts as inupt for the following query
While using pipes |, by default, first query output will be passed to second query. for example, 

index=app search-for-something | table source, sourcetype, _time

..how can i view the second query result in dashboard
You can use timechart command, or chart commands, which will create the visualizations
http://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Timechart

Can you provide us more info about the requirement, so that we can suggest you exactly how to proceed?

0 Karma
Reply

nidhi6
New Member
‎09-06-2016 10:29 AM

Hello,

Basically I am querying one of the sourcetype and its field is to be matched with the second sourcetype and I want to show fields from second sourcetype after matching data from the 1st sourcetype .

In the database sense I want to use join between two sourcetype .

Thanks,
Nidhi

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎09-07-2016 02:24 AM

Hi Nidhi,

Maybe, like this.. there is a join command in Splunk as well, but that may not be needed for this one, I think.

search index=app sourcetype=abc | table host

This will search for sourcetype abc on index app, and returns the list of host names.

This search below will check on index app, for sourcetype a1b1c1, and only for the host list from first search.

index=app sourcetype=a1b1c1 [search index=app sourcetype=abc | table host] | table _raw _time

if you update us with your present search or more info on the requirement, we can suggest exactly.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-06-2016 06:04 AM

Could you be more specific? What are the two queries?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...