topic Re: Splunk search join in Splunk Search

Splunk search join

Ponczi1 — Tue, 19 Dec 2017 07:41:47 GMT

Hello,

I am trying to join two searches so i could get number of declined transactions in time. First i look for inbound messages to get an IDs (it's in txRef tag) of special kinds transactions and then I am looking for outbound messages of all declined transaction to join them together based on the IDs

The search I am using looks like this but it is not working correctly.

index=Auth AuthorizeTransaction Inbound Message "<alias" NOT "<ticket" 
| regex "<txRef>(?<TXREF>\d+)<" 
| eval txRefs = TXREF
| join type=inner txRefs [search index=Auth Outbound Message "declined" | regex "<txRef>(?<TXREF>\d+)</txRef>" | eval txRefs=TXREF]
| timechart span=1h count as "Declined transactions"

EDIT

I have found what i was doing wrong. Apprently i was using Regex instead of Rex so i did not really extract the fields 🙂

Re: Splunk search join

mayurr98 — Tue, 19 Dec 2017 08:19:54 GMT

will you please enter your code in 101010 written below text box as there are some escape characters in your query

Re: Splunk search join

Ponczi1 — Tue, 19 Dec 2017 08:30:45 GMT

Sure, sorry

Re: Splunk search join

nickhills — Tue, 19 Dec 2017 09:12:22 GMT

That's good news. Ideally you should post an answer and accept it yourself, so that other people can see that you resolved it, and how. You can also upvote any answer or comments who helped you!

Re: Splunk search join

mayurr98 — Tue, 19 Dec 2017 09:14:18 GMT

Try this:

index=Auth AuthorizeTransaction Inbound Message "<alias" NOT "<ticket" 
 | rex field=_raw "\<txRef\>(?<TXREF>\d+)\<\/txRef\>" 
 | eval txRefs = TXREF
 | join type=inner txRefs [search index=Auth Outbound Message "declined" | rex field=_raw "\<txRef\>(?<TXREF>\d+)\<\/txRef\>" | eval txRefs=TXREF]
 | timechart span=1h count as "Declined transactions"

Let me know if this helps!

Re: Splunk search join

Ponczi1 — Tue, 19 Dec 2017 09:16:13 GMT

Yeah i figured that "rex" was the problem. But thanks a lot anyway!