I am fairly new to Splunk and have had no formal training. I am having difficult time to take a field from one source as input to search another source.
Here is my first query:
index=ivr sourcetype=ivr_history [search sourcetype=ivr_history "2062401185"| fields sidnum host]| stats values(sessID2) by host sidnum
OUTPUT of query above shows host, sidnum and sessID2. Now, I want to search another source called ivr_sef. I want to use sessID2 to search source ivr_sef. if found, return the field 'id' (which should actually be same as sessID2).
I modified my first query to this query below but the output for the id field comes out empty! I do know for a fact that the sessID value does exist in source ivr_sef (inside field id) because I have search it manually and separately beforehand. Please help!
index=ivr sourcetype=ivr_history OR ivr_sef [search sourcetype=ivr_history "2062401185"| fields sidnum host]| eval common=coalesce(sessID2, id)|stats values(sessID2) values(id) by host sidnum
... View more