topic Re: How to access data in rows of table and then search further using each of those values? in Splunk Search

How to access data in rows of table and then search further using each of those values?

sai_shreyashi_p — Wed, 11 Sep 2019 06:37:02 GMT

Suppose I have logged data with certain fields like id, level, message etc.
Ex:
id:123
level:warn
Message:xyz task is being performed(msg1)

I need to find all logs which have the above message logged but should not have gone through a log with message 'abc task is being performed'(msg2)
So what I was trying to do was first get all id which have msg1 then use a subsearch to search for each of those ids NOT (msg2) is found. But it isn't working and I even tried:

fields id | map search=" search sourcetype=default_abc id=* NOT "abc task is being performed" "

Sorry, I am new to this so I might be wrong with understanding a lot of it.

Re: How to access data in rows of table and then search further using each of those values?

renjith_nair — Wed, 30 Sep 2020 02:10:19 GMT

@sai_shreyashi_penugo,

Try

Updated as per comments:

 "your other search terms"  "*task is being performed*"
 |eventstats count(eval(searchmatch("msg1"))) as msg1Count,count(eval(searchmatch("msg2"))) as msg2Count by id
 |where msg1Count>0 AND msg2Count < 1

=-=-=-=-=-=-=-=-=-=-=

"your other search terms"  "*task is being performed*" NOT "*msg2"

Extract the message and filter using that

"base search" | rex field=Message "performed\((?<msg>.+)\)"|where msg!="Msg2"

Re: How to access data in rows of table and then search further using each of those values?

sai_shreyashi_p — Thu, 12 Sep 2019 11:26:50 GMT

thank you for the reply but this won't help completely in my case. I need to check for each id if it has a log with message 1 and does not have a log with message 2.

Re: How to access data in rows of table and then search further using each of those values?

renjith_nair — Wed, 30 Sep 2020 02:07:16 GMT

@sai_shreyashi_penugo,
What about

"your other search terms"  "*task is being performed*"
|eventstats count(eval(searchmatch("msg1"))) as msg1Count,count(eval(searchmatch("msg2"))) as msg2Count by id
|where msg1Count>0 AND msg2Count < 1

Re: How to access data in rows of table and then search further using each of those values?

sai_shreyashi_p — Fri, 13 Sep 2019 05:38:15 GMT

Thank you so much! This solved it.