Filtering splunk results using results of another splunk query

splunk
seahorse picture seahorse · Mar 1, 2013 · Viewed 23.4k times · Source

I want to use a query in splunk, extract a list of fields and then use these result fields to further filter my subsequent splunk query. How do I do this?

Answer

emiller42 picture emiller42 · Apr 17, 2013

the FORMAT command can be particularly useful for this. This is an overly simplistic example, but should give you an idea of how it's used:

First, craft your subsearch that will give you the fields you care about. Here is a functioning example:

|metadata type=hosts index=_internal | table host | format

Try running this search on it's own to see what the output looks like.

Then we just add it in as a subsearch of your real search:

index=foo sourcetype=bar [|metadata type=hosts index=_internal | table host | format]

that will give you events from index foo, sourcetype bar, and every host from the subsearch.

This is actually an extremely powerful command, as you can use it to dynamically set timeranges as well as complex boolean filters.

More FORMAT documentation can be found here

More complex example of what can be done with FORMAT

Related questions

What does (?i) and ?@ in this regex mean

In the following regex what does "(?i)" and "?@" mean? (?i)<.*?@(?P<domain>\w+\.\w+)(?=>) I know that "?" means zero or one and that i sets case insensitivity. This regex captures domains from an email address in …

Read More
Splunk how to combine two queries and get one answer

I am very new to Splunk and basically been dropped in the deep end!! also very new to language so any help and tips on the below would be great. The out come i am trying to get is to …

Read More
How to ignore a specific sub-string from Splunk query

Need some help to generate appropriate Spunk query. I am searching for this but could not come up with a solution. Currently, I want to ignore all error alerts that are generated for logs with only ev31=error; term. If …

Read More