{"id":46446,"date":"2021-10-25T17:32:27","date_gmt":"2021-10-25T17:32:27","guid":{"rendered":"https:\/\/merikebi.warrenmyers.com\/?p=46446"},"modified":"2021-10-25T17:32:27","modified_gmt":"2021-10-25T17:32:27","slug":"answer-by-warren-for-splunk-return-one-or-true-from-a-search-use-that-result-in-another-search","status":"publish","type":"post","link":"https:\/\/merikebi.warrenmyers.com\/?p=46446","title":{"rendered":"Answer by warren for Splunk: Return One or True from a search, use that result in another search"},"content":{"rendered":"<p>First &#8230; don&#8217;t <a href=\"https:\/\/docs.splunk.com\/Documentation\/Splunk\/latest\/SearchReference\/dedup\" rel=\"nofollow noreferrer\"><code>dedup<\/code><\/a> on <code>_raw<\/code><\/p>\n<p>The <code>_raw<\/code> events are <em>never<\/em> duplicated (unless you&#8217;ve done something wrong on ingest)<\/p>\n<p>Second, to your actual question &#8211; try something along the lines of this:<\/p>\n<pre><code>index=&quot;myIndex&quot; &quot;started with profile&quot; BD_L* \n| eval Platform=case(match(_raw,&quot;LINUX&quot;),&quot;LINUX&quot;,match(_raw,&quot;AIX&quot;),&quot;AIX&quot;,match(_raw,&quot;DB2&quot;),&quot;DB2&quot;, match(_raw,&quot;SQL&quot;),&quot;SQL&quot;, match(_raw,&quot;WEBSPHERE&quot;),&quot;WEBSPHERE&quot;, match(_raw,&quot;SYBASE&quot;),&quot;SYBASE&quot;, match(_raw,&quot;WINDOWS&quot;),&quot;WINDOWS&quot;, true(),&quot;ZLINUX&quot;) \n| stats count by Platform RUNID\n| join type=left RUNID\n    [ search index=&quot;myIndex&quot; source=&quot;\/*\/RUNID\/*&quot; CASE(&quot;ERROR&quot;) CTJT*\n        | stats count by RUNID\n    ]\n| stats count by Platform\n<\/code><\/pre>\n<p>If you can provide some sample data from your two indices, we can get you <em>much<\/em> closer to a good solution &#8211; but this should move you towards an answer<\/p>\n<p>There&#8217;s <em>likely<\/em> a way to <em>not<\/em> use <a href=\"https:\/\/docs.splunk.com\/Documentation\/Splunk\/latest\/SearchReference\/join\" rel=\"nofollow noreferrer\"><code>join<\/code><\/a> in this search &#8211; but we need sample data to verify that \ud83d\ude42<\/p>\n<p>from User warren &#8211; Stack Overflow https:\/\/stackoverflow.com\/questions\/69707314\/splunk-return-one-or-true-from-a-search-use-that-result-in-another-search\/69712393#69712393<br \/>\nvia <a href=\"https:\/\/ifttt.com\/?ref=da&#038;site=wordpress\">IFTTT<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>First &#8230; don&#8217;t dedup on _raw The _raw events are never duplicated (unless you&#8217;ve done something wrong on ingest) Second, to your actual question &#8211; try something along the lines of this: index=&quot;myIndex&quot; &quot;started with profile&quot; BD_L* | eval Platform=case(match(_raw,&quot;LINUX&quot;),&quot;LINUX&quot;,match(_raw,&quot;AIX&quot;),&quot;AIX&quot;,match(_raw,&quot;DB2&quot;),&quot;DB2&quot;, match(_raw,&quot;SQL&quot;),&quot;SQL&quot;, match(_raw,&quot;WEBSPHERE&quot;),&quot;WEBSPHERE&quot;, match(_raw,&quot;SYBASE&quot;),&quot;SYBASE&quot;, match(_raw,&quot;WINDOWS&quot;),&quot;WINDOWS&quot;, true(),&quot;ZLINUX&quot;) | stats count by Platform RUNID | join type=left RUNID &hellip;<br \/><a href=\"https:\/\/merikebi.warrenmyers.com\/?p=46446\" class=\"more-link pen_button pen_element_default pen_icon_arrow_double\">Continue reading <span class=\"screen-reader-text\">Answer by warren for Splunk: Return One or True from a search, use that result in another search<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4],"tags":[991],"keyring_services":[],"class_list":["post-46446","post","type-post","status-publish","format-standard","hentry","category-blih","tag-stackexchange"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/46446","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=46446"}],"version-history":[{"count":1,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/46446\/revisions"}],"predecessor-version":[{"id":46447,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/46446\/revisions\/46447"}],"wp:attachment":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=46446"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=46446"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=46446"},{"taxonomy":"keyring_services","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fkeyring_services&post=46446"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}