{"id":69453,"date":"2023-01-09T18:28:02","date_gmt":"2023-01-09T18:28:02","guid":{"rendered":"https:\/\/merikebi.warrenmyers.com\/?p=69453"},"modified":"2023-01-09T18:28:02","modified_gmt":"2023-01-09T18:28:02","slug":"answer-by-warren-for-splunk-use-result-from-first-search-in-second-search","status":"publish","type":"post","link":"https:\/\/merikebi.warrenmyers.com\/?p=69453","title":{"rendered":"Answer by warren for SPLUNK use result from first search in second search"},"content":{"rendered":"<p>Presuming your <code>id<\/code> field is the same and available in both indices, this form should work:<\/p>\n<pre><code>(index=ndxA sourcetype=srctpA id=* source=example.log host=example &quot;ERROR 1234&quot;) OR (index=ndxB sourcetype=srctpB id=* &quot;some other string&quot;)\n| rex field=_raw &quot;(?&lt;first_field&gt;ERROR 1234)&quot;\n| rex field=_raw &quot;(?&lt;second_field&gt;some other string)&quot;\n| fillnull value=&quot;-&quot; first_field second_field\n| stats count by id first_string second_string\n| search NOT (first_string=&quot;-&quot; OR second_string=&quot;-&quot;)\n<\/code><\/pre>\n<p>If your <code>id<\/code> field has a different name in the other index, do a <code>rename<\/code> like this before the <code>stats<\/code> line:<\/p>\n<pre><code>| rename otherIdFieldName as id\n<\/code><\/pre>\n<p>Advantages of this format:<\/p>\n<ul>\n<li>you are not limited by subsearch constraints (search must finish in 60 seconds, no more than 50k rows)<\/li>\n<li>the Search Peers (ie Indexers) will handle all of the overhead instead of having to wait on the Search Head that initiated the search to do lots of post-processing (all the SH is doing is sending the distributed search, then a post-<code>stats<\/code> filter to ensure <em>both<\/em> <code>first_string<\/code> and <code>second_string<\/code> have the values you are looking for)<\/li>\n<\/ul>\n<p>from User warren &#8211; Stack Overflow https:\/\/stackoverflow.com\/questions\/75031025\/splunk-use-result-from-first-search-in-second-search\/75061485#75061485<br \/>\nvia <a href=\"https:\/\/ifttt.com\/?ref=da&#038;site=wordpress\">IFTTT<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Presuming your id field is the same and available in both indices, this form should work: (index=ndxA sourcetype=srctpA id=* source=example.log host=example &quot;ERROR 1234&quot;) OR (index=ndxB sourcetype=srctpB id=* &quot;some other string&quot;) | rex field=_raw &quot;(?&lt;first_field&gt;ERROR 1234)&quot; | rex field=_raw &quot;(?&lt;second_field&gt;some other string)&quot; | fillnull value=&quot;-&quot; first_field second_field | stats count by id first_string second_string | search &hellip;<br \/><a href=\"https:\/\/merikebi.warrenmyers.com\/?p=69453\" class=\"more-link pen_button pen_element_default pen_icon_arrow_double\">Continue reading <span class=\"screen-reader-text\">Answer by warren for SPLUNK use result from first search in second search<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4],"tags":[991],"keyring_services":[],"class_list":["post-69453","post","type-post","status-publish","format-standard","hentry","category-blih","tag-stackexchange"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/69453","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=69453"}],"version-history":[{"count":1,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/69453\/revisions"}],"predecessor-version":[{"id":69454,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/69453\/revisions\/69454"}],"wp:attachment":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=69453"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=69453"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=69453"},{"taxonomy":"keyring_services","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fkeyring_services&post=69453"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}