Using search result as object of another search in same query (2024)

To use the results of a search in another search, use what Splunk calls a subsearch. Subsearches are enclosed by square brackets and execute first so the one that produces results runs as the subsearch. Those results become part of the main search.

Using the example searches from the OP:

index=wineventlog_pc [ | index=fortinet* user=XXXX* | top limit=1 sip | format ]

The fortinet index is searched first and the results are converted by the format command into "sip=foo". Then the main search becomes index=wineventlog_pc sip=foo. Of course, the two indexes must use the same field name ("sip", in this case). If the don't then the subsearch must rename the field to match the name used in the main search.

---
If this reply helps you, Karma would be appreciated.

See Also
Add records to a table by using an append query
See Also
What are the differences between append, appendcols, and join search commands?Combining multiple data sources in SPLDifference Between Append and Extend in Python List Methods | Scaler TopicsWhat are the differences between append, appendpipe, and appendcols search commands?
Using search result as object of another search in same query (2024)

FAQs

How do I use results from one search in another in Splunk? ›

To use the results of a search in another search, use what Splunk calls a subsearch. Subsearches are enclosed by square brackets and execute first so the one that produces results runs as the subsearch. Those results become part of the main search.

View Details
How to do a subsearch in Splunk? ›

You must run the first search to identify the piece of information that you need, and then run the second search with that piece of information. You can combine these two searches into one search that includes a subsearch.

Explore More
How to use output of one query in another query in Splunk? ›

The first query needs to go as a subsearch (the part in []) and return the needed field back to the main search (which in your case is the second query). You can select which field to use as a result in the main search with the return command. Normally it would look something like "field=value1 OR field=value2 OR ...."

Discover More
Which of the following are responsible for consolidating search results in Splunk? ›

4) Deployment Server

Centralized Management: The deployment server helps manage Splunk configurations by consolidating them into one server, making it easier to manage instance consistency.

View Details
What is the limitation of Subsearch? ›

By default, subsearches return a maximum of 10,000 results and have a maximum runtime of 60 seconds.

Keep Reading
How to do nested search in Splunk? ›

Nested query
  1. plain query to get the data and extract a particular field.
  2. Use that field as an input for the second query.
  3. Get object data as a string as a result, extract fields from there, and generate a report from it in tabular format.

See Details
Which command can be used to further filter results in a search, search, subsearch, filter subset? ›

The command that can be used to further filter results in a search is the subsearch command.

Discover More Details
How do I make Splunk search more efficient? ›

Improve your searches
  1. Select an index in the first line of your search. ...
  2. Use the TERM directive. ...
  3. Use the tstats command. ...
  4. Avoid using table commands in the middle of searches and instead, place them at the end. ...
  5. Test your search string performance.
Apr 16, 2024

Get More Info Here
How do I fix orphaned searches in Splunk? ›

  1. add the owner back to splunk temporarily.
  2. use the REST API to change ownership from the old owner to a new (existing) user.
  3. delete the owner from the system.

Read On
How to search a query in Splunk? ›

To search on a keyword, select the Keyword tab, type the keyword or phrase you want to search on, then press Enter. If you want to search on a field, select the Fields tab, enter the field name, then press Enter. To continue adding keywords or fields to the search, select Add Filter.

Read The Full Story

Where are Splunk search results stored? ›

'sid' is the Search ID, and also the name of the folder in your dispatch directory. Job results are stored in the dispatch directory on the search head: $SPLUNK_HOME/var/run/splunk/dispatch. The SID should match the name of the directory in there.

View More
How can a Splunk report be used to search? ›

Steps
  1. Navigate to the Splunk Search page.
  2. In the Search bar, type the default report Errors in the last 24 hours .
  3. Open search expansion by using the keyboard shortcut Command-Shift-E (Mac OSX) or Control-Shift-E (Linux or Windows). ...
  4. (Optional) Copy a fragment of the search.
Mar 12, 2024

See Details
How do I search for two keywords in Splunk? ›

If you put the sought strings in the base search then Splunk will search all fields for them. Then you can use the fields command to select the fields you want in the output. index=centre_data ("DAN012A Dance" OR "2148 FNT004F Nutrition Technology") | fields ... If this reply helps you, Karma would be appreciated.

Keep Reading
What command can you use to filter search results based on a text pattern in Splunk? ›

SPL2
Common Search Commands
CommandDescription
rexSpecifies regular expression named groups to extract fields.
searchFilters results to those that match the search expression.
sortSorts the search results by the specified fields.
13 more rows

See Details

References

Top Articles
The Rituals of Freemasonry – The Square Magazine
Top 10 beste series aller tijden - VPNGids.nl
T800 Kenworth Fuse Box Diagram
Autozone Memorial Day Hours
Nizhoni Massage Gun
Feliz Domingo Bendiciones, Mensajes cristianos para compartir | Todo imágenes
8 Restaurant-Style Dumpling Dipping Sauces You Can Recreate At Home
For My Derelict Favorite Novel Online
Voy Pageant Discussion
Sermon Collections, Sermons, Videos, PowerPoint Templates, Backgrounds
Greater Keene Men's Softball
Shs Games 1V1 Lol
Acuity Eye Group - La Quinta Photos
Karz Insurance Quote
Forest | Definition, Ecology, Types, Trees, Examples, & Facts
How Much Is Cvs Sports Physical
New Orleans Magazine | Dining, Entertainment, Homes, Lifestyle and all things NOLA
Tv Guide Visalia
Altametrics Login Little Caesars
Max Prep Baseball
Razwan Ali ⇒ Free Company Director Check
Ullu Web Series 123
Couches To Curios Photos
Leonards Truck Caps
Cargurus Honda Accord
Biopark Prices
Royal Carting Holidays 2022
The 7 Cs of Communication: Enhancing Productivity and Effectiveness
Jersey Mikes Ebt
Societe Europeenne De Developpement Du Financement
Keanu Reeves cements his place in action genre with ‘John Wick: Chapter 4’
Enter Cautiously Nyt Crossword
Artifacto The Ascended
Amarillos (FRIED SWEET PLANTAINS) Recipe – Taste Of Cochin
The QWERTY Keyboard Is Tech's Biggest Unsolved Mystery
Junees Cedarhurst
Voyeur Mature Bikini
Josh Bailey Lpsg
Fuzz Bugs Factory Hop Halloween
Plus Portal Ibn Seena Academy
Sound Ideas, TAKE, CARTOON - WHISTLE TAKE/Image Gallery
Calverton-Galway Local Park Photos
Nz Herald Obituary Notices
Apphomie.com Download
How Much Does Costco Gas Cost Today? Snapshot of Prices Across the U.S. | CostContessa
Plusword 358
Botw Royal Guard
Potomac Edison Wv Outages
Skip The Games Buffalo
Google Halloween Game 2018 Unblocked
Nordstrom Rack Glendale Photos
How Long Ago Was February 28 2023
Latest Posts
New Chipset and Intel ME Consumer driver for Z790-F Gaming Wifi
Solved - Trojan found: System Repair Error - Explorer.exe corrupt disk
Article information

Author: The Hon. Margery Christiansen

Last Updated:

Views: 6354

Rating: 5 / 5 (50 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: The Hon. Margery Christiansen

Birthday: 2000-07-07

Address: 5050 Breitenberg Knoll, New Robert, MI 45409

Phone: +2556892639372

Job: Investor Mining Engineer

Hobby: Sketching, Cosplaying, Glassblowing, Genealogy, Crocheting, Archery, Skateboarding

Introduction: My name is The Hon. Margery Christiansen, I am a bright, adorable, precious, inexpensive, gorgeous, comfortable, happy person who loves writing and wants to share my knowledge and understanding with you.