I'm trying to figure out if it's possible to take the results out of a search and define them and automatically use them in a subsearch. The results will change each time the search is ran.
As an example, in the log below I am pulling out "32573", "D2E8DB9A3F_4761818F", "54461818_23272_700_1", and "18909934C1_4761819B". I've defined all of those as fields and now I want to be able to run a separate search that looks for logs that contain that information.
Nov 26 13:12:41 10.255.220.2 Nov 26 18:12:41 sm03 postfix/smtp[32573]: D2E8DB9A3F_4761818F: to=, relay=127.0.0.1[127.0.0.1]:10025, delay=0.2, delays=0.01/0/0/0.19, dsn=2.0.0, status=sent (250 OK, sent 54461818_23272_700_1 1980934C1_4761819B)
Does anyone know if this is possible? If so can you just point me in the direction of what I could use to accomplish this?
I'm pretty sure Workflows are what you need as they can:
"Launch secondary Splunk Enterprise searches that use one or more field values from selected events"
Take a look here:
Hi. Maybe a search macro can be useful:
http://docs.splunk.com/Documentation/Splunk/6.2.0/Search/Usesearchmacros
Hi akelly,
Have you tried looking at Workflows?
You can forward data from a field into a new search or to an external site?