Presuming your id field is the same and available in both indices, this form should work:
(index=ndxA sourcetype=srctpA id=* source=example.log host=example "ERROR 1234") OR (index=ndxB sourcetype=srctpB id=* "some other string")
| rex field=_raw "(?<first_field>ERROR 1234)"
| rex field=_raw "(?<second_field>some other string)"
| fillnull value="-" first_field second_field
| stats count by id first_string second_string
| search NOT (first_string="-" OR second_string="-")
If your id field has a different name in the other index, do a rename like this before the stats line:
| rename otherIdFieldName as id
Advantages of this format:
- you are not limited by subsearch constraints (search must finish in 60 seconds, no more than 50k rows)
- the Search Peers (ie Indexers) will handle all of the overhead instead of having to wait on the Search Head that initiated the search to do lots of post-processing (all the SH is doing is sending the distributed search, then a post-
statsfilter to ensure bothfirst_stringandsecond_stringhave the values you are looking for)
from User warren – Stack Overflow https://stackoverflow.com/questions/75031025/splunk-use-result-from-first-search-in-second-search/75061485#75061485
via IFTTT