So I am new to Splunk, but cannot seem to find the answer to this likely simple search question. So I need to search for a string, then use that value in a second search. Assuming this will just be a subsearch.
For Example:
I can use this search to pull the piece of information I need - but it labels it as a field called **callID**. We have not set up callID as a field yet it seems, and I don't want to rock the boat on that just yet, so I think I just need it as a string to use in the next search. Would I look for that "callID" part using regex?
index=sip-ra ani 18005551111 17775559999 ConfJoinNote | rex field=_raw "\(?.*)\<\/callLegSessionID\>"
that would return this as callID:
204.466.sip_reservationless_conference.102@64.214.111.111
Then my next search would have the above as a subsearch like so:
index=sip-ra [subsearch to get the callID string] "audio" "digits"
I just can't figure out how to get it to use that 204.466*** as part of that next search?
thank you!
skiller
↧