Reputation: 2470
Filtering splunk results using results of another splunk query
I want to use a query in splunk, extract a list of fields and then use these result fields to further filter my subsequent splunk query. How do I do this?
Upvotes: 4
Views: 28340
Answers (4)
Reputation: 304
Subsearch is a search query that is nested within another search query, and the results of the subsearch are used to filter the main search, so:
1- First, run a query to extract a list of fields that you want to use for filtering your subsequent Splunk query:
index=my_index sourcetype=my_sourcetype | table my_field
2- Next, use the results of this query as input to filter the subsequent query using a subsearch:
index=my_index sourcetype=my_sourcetype [ |
search index=my_index sourcetype=my_sourcetype | table my_field
] | your_search_operations
Here, the subsearch is enclosed in square brackets [| search ...]. The results from the subsearch are used to filter the main search query.
Pipe | takes the output (results) from the command or operation preceding the pipe and passes it as input to the command or operation following the pipe.
Upvotes: 0
Reputation: 1
In Splunk, it is possible to filter/process on the results of first splunk query and then further filter/process results to get desired output.
This is the most powerful feature of Splunk that other visualisation tools like Kibana, Tableau lacks.
Suppose you have data in index foo and extract fields like name, address.
Now name/address can be direct key-value pair or you need to extract from event using regex or Splunk in-built feature Extract fields.
And then further filter with values like name = "John" then Splunk search will be:
index="foo" | table name, address | where name="John"
Upvotes: 0
Reputation: 103
the FORMAT command can be particularly useful for this. This is an overly simplistic example, but should give you an idea of how it's used:
First, craft your subsearch that will give you the fields you care about. Here is a functioning example:
|metadata type=hosts index=_internal | table host | format
Try running this search on it's own to see what the output looks like.
Then we just add it in as a subsearch of your real search:
index=foo sourcetype=bar [|metadata type=hosts index=_internal | table host | format]
that will give you events from index foo, sourcetype bar, and every host from the subsearch.
This is actually an extremely powerful command, as you can use it to dynamically set timeranges as well as complex boolean filters.
More FORMAT documentation can be found here
More complex example of what can be done with FORMAT
Upvotes: 7
Reputation: 259
One option is to pipe the data from the first search to the next and then you can further filter the results. Hopefully the following simplified search string will give you ideas on how to do this ...
index=_internal | head 100 | fields host, sourcetype, source | search sourcetype="splunkd_access"
For more information, I recommend reading through the Splunk Search Reference
Upvotes: 0
Related Questions
- how do i pass a result from one search into IN clause of another search in splunk?
- Splunk filter one search by another
- SPLUNK use result from first search in second search
- Output of 1 query to be used a input of another to get results
- Splunk conditional search
- Splunk query filter out based on other event in same index
- Splunk query based on the results of another query
- show results from two splunk queries into one
- How to combine two queries in Splunk?
- Splunk query to filter results