https://community.splunk.com/t5/Splunk-Search/How-can-we-extract-transaction-id-from-an-event-and-do-a-search/m-p/342200#M101393 <P>Try this...</P> <PRE><CODE>index=baz [ index=baz "Internal Server Error" transactionID=* | stats by transactionID] </CODE></PRE> <P>The stuff in braces, because of an implicit <CODE>format</CODE> command, translates to...</P> <PRE><CODE> ( transactionID="Value1" OR transactionID="Value2" OR ...) </CODE></PRE> <P>If nothing comes back from the braces, it comes out as... </P> <PRE><CODE>NOT () </CODE></PRE> <P>...which is valid but will return no results. </P> Wed, 02 Aug 2017 22:53:12 GMT DalJeanis 2017-08-02T22:53:12Z https://community.splunk.com/t5/Splunk-Search/How-can-we-extract-transaction-id-from-an-event-and-do-a-search/m-p/342199#M101392 <P>I am fairly new to Splunk queries.</P> <P>I have below mentioned logs:</P> <P>INFO [HTTP-120]: 2017-08-02T18:00:03,157 - transactionID=12345 - "Internal Server Error"<BR /> INFO [HTTP-120]: 2017-08-02T18:00:02,110 - transactionID=12345 - "Foo"<BR /> INFO [HTTP-120]: 2017-08-02T18:00:01,100 - transactionID=12345 - "Bar"</P> <P>INFO [HTTP-120]: 2017-08-02T18:00:03,157 - transactionID=45678 - "Success"<BR /> INFO [HTTP-120]: 2017-08-02T18:00:02,110 - transactionID=45678 - "Foo"<BR /> INFO [HTTP-120]: 2017-08-02T18:00:01,100 - transactionID=45678 - "Bar"</P> <P>I need to search for events which has "Internal Server Error" then extract the transactionID and do a new search to print all the events which has that transactionID.<BR /> So my output should be <BR /> INFO [HTTP-120]: 2017-08-02T18:00:03,157 - transactionID=12345 - "Internal Server Error"<BR /> INFO [HTTP-120]: 2017-08-02T18:00:02,110 - transactionID=12345 - "Foo"<BR /> INFO [HTTP-120]: 2017-08-02T18:00:01,100 - transactionID=12345 - "Bar"</P> <P>The query should not fail if there are no events. I used subquery to return transactionID for base query, but for 0 events it failed saying Comparator '=' has missing right side value.</P> <P>Any help is much appreciated.</P> Wed, 02 Aug 2017 21:20:11 GMT https://community.splunk.com/t5/Splunk-Search/How-can-we-extract-transaction-id-from-an-event-and-do-a-search/m-p/342199#M101392 diliphg 2017-08-02T21:20:11Z https://community.splunk.com/t5/Splunk-Search/How-can-we-extract-transaction-id-from-an-event-and-do-a-search/m-p/342200#M101393 <P>Try this...</P> <PRE><CODE>index=baz [ index=baz "Internal Server Error" transactionID=* | stats by transactionID] </CODE></PRE> <P>The stuff in braces, because of an implicit <CODE>format</CODE> command, translates to...</P> <PRE><CODE> ( transactionID="Value1" OR transactionID="Value2" OR ...) </CODE></PRE> <P>If nothing comes back from the braces, it comes out as... </P> <PRE><CODE>NOT () </CODE></PRE> <P>...which is valid but will return no results. </P> Wed, 02 Aug 2017 22:53:12 GMT https://community.splunk.com/t5/Splunk-Search/How-can-we-extract-transaction-id-from-an-event-and-do-a-search/m-p/342200#M101393 DalJeanis 2017-08-02T22:53:12Z https://community.splunk.com/t5/Splunk-Search/How-can-we-extract-transaction-id-from-an-event-and-do-a-search/m-p/342201#M101394 <P>Still doesn't work.</P> <P>This query gives the stats "index=baz "Internal Server Error" transactionID=* | stats by transactionID".</P> <P>But this whole query index=baz [search index=baz "Internal Server Error" transactionID=* | stats by transactionID] says 0 events found.</P> <P>Since i am new please help if there are any silly mistakes.</P> Thu, 03 Aug 2017 03:12:48 GMT https://community.splunk.com/t5/Splunk-Search/How-can-we-extract-transaction-id-from-an-event-and-do-a-search/m-p/342201#M101394 diliphg 2017-08-03T03:12:48Z