topic Re: Match by rex field in subsearch in Splunk Search

Match by rex field in subsearch

infcl — Fri, 17 Jan 2020 21:55:49 GMT

I have one log like:
log1 tid=,"tid":"abcd";

And another log like:
log2 userid=11 tid=abcd

I want to get the count of results where rexed tid in log1 matches tid in log2, deduped by userid.

I tried:
log2 [search log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | eval tid1=tid | dedup userid] | stats count

However it returned 0. though there should be more.

Re: Match by rex field in subsearch

jscraig2006 — Fri, 17 Jan 2020 23:54:46 GMT

i don't know if this will make a difference, but your regex is missing escapes on your some of your characters. Try | rex "tid\"\:\"(?<tid1>[^\"]+)"

Re: Match by rex field in subsearch

to4kawa — Sat, 18 Jan 2020 02:02:42 GMT

e.g.

| makeresults 
| eval _raw="userid=11 tid=abcd"
| appendpipe 
    [eval _raw="userid=12 tid=abce"]
| kv
| search
    [| makeresults 
    | eval _raw="tid=,\"tid\":\"abcd\";" 
    | rex field=_raw "\"tid\":\"(?<tid1>.*)\";" 
    | rename tid1 as query]

Recommend:

log2 
| kv
| search [ search log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | rename tid1 as query] 
| stats count by userid

Hi, @infcl
maybe, log1 does not have userid. so, dedup userid can't works and result is "0"
I don't know the fields extracted, I use kv
if log2 has the field userid , kv is not needed

Re: Match by rex field in subsearch

infcl — Sat, 18 Jan 2020 04:51:19 GMT

Unfortunately it didn't work.

log2 always has userid.

Even

   log2   
   | search [ search log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | rename tid1 as query]

did not return any results.

When I search log2 and log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | fields tid1 individually, they return results, so those portions are correct.

Re: Match by rex field in subsearch

infcl — Sat, 18 Jan 2020 04:55:58 GMT

@jscraig2006 that shouldn't be a problem, because log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | fields tid1 does return results.

Re: Match by rex field in subsearch

to4kawa — Sat, 18 Jan 2020 05:41:42 GMT

log2 "tid1 value"

return results?

my search is same logic search.

I think you say
search log2⇨ returen results
search log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | fields tid1⇨ returen results
OK?

Re: Match by rex field in subsearch

infcl — Sat, 18 Jan 2020 06:23:23 GMT

Yes that's what I mean, the individual searches are correct. But the matching is not.

Re: Match by rex field in subsearch

to4kawa — Sat, 18 Jan 2020 08:35:15 GMT

If log2 tid field is extracted,

log2 [search log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | fields tid1 |rename tid1 as tid]

This query should return results.
if is returns "0" , there really is no result.

Re: Match by rex field in subsearch

woodcock — Sat, 18 Jan 2020 19:43:36 GMT

Like this:

index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo" AND ("log1" OR "log2")
| rex "tid=,\"tid\":\"(?<tid>.*)\";"
| eval which=if(searchmatch("log1"), "log1", "log2")
| dedup userid which
| stats dc(which) AS which_count BY tid
| where which_count==2