Java hunger
Reputation: 77
Splunk join two query to based on result of first query
In Splunk query I have two query like below
Query 1- index=mysearchstring1 Result - employid =123
Query 2- index=mysearchstring2
Here I want to use employid=123 in my query 2 to lookup and return final result.
Is it possible in Splunk?
Upvotes: 2
Views: 2077
Answers (1)
RichG
Reputation: 9906
It sounds like you're looking for a subsearch.
index=mysearchstring2 [ search index=mysearchstring1 | fields employid | format ]
Splunk will run the subsearch first and extract only the employid field. The results will be formatted into something like (employid=123 OR employid=456 OR ...) and that string will be appended to the main search before it runs.
Upvotes: 4
Related Questions
- SPLUNK use result from first search in second search
- Output of 1 query to be used a input of another to get results
- Join two Splunk queries without predefined fields
- nested condition in splunk
- How to merge two stats by in Splunk?
- Splunk how to combine two queries and get one answer
- Splunk query based on the results of another query
- How to append two queries in splunk?
- show results from two splunk queries into one
- How to combine two queries in Splunk?