Hi,
I am trying to extract an ID from a search and append the results using the extracted ID.
Example:
Search: host="hostname" 32351
<190>Aug 15 11:28:02 hostname sshd[32351]: User child is on pid 32353
Now I would like to append the entries including the child pid, e.g.
Search: host="hostname" 32351 OR 32353 without having to type "OR 32353".
Here, Splunk adds all entries with all child pid's and not only those from the main search:
host="hostname" pid=32351 | append [search host="hostname" | fields + childpid]
So I am probably missing something before append. I hope it is enough information.
... View more