topic Re: Splunk Append Query in Splunk Search

Splunk Append Query

NishantKrishna — Tue, 13 Feb 2024 15:03:23 GMT

I am using the below query to merge 2 queries using append. However, I am unable to get the value of the field named "Code" from the first query under | search "Some Logger" printed in the Statistics section:

index=* sourcetype=* host=* | search "Some Logger" | rex "LoggerName\|(?<time>\w+)\|(?<Service>\w+)\|(?<Type>\w+)\|(?<brand>\w+)\|(?<template>\w+)\|(?<hashId>[\w-]+)\|(?<Code>\w+)" | table Code | append [ search host=* | search "LoggerName2*" | rex field=_raw "field1=(?<field1>)\}" | rex field=_raw "field2=(?<field2>)," | rex field=_raw "field3=(?<field3>[a-zA-z-_0-9\\s]*)" | rex field=_raw "(?<field4>[\w-]+)$" | rex field=_raw "field5=(?<field5>)," | rex field=_raw "field6=(?<field6>)," | table field1,field2 ]

The result from the 2nd/child query i.e. | search "LoggerName2*" is printing just fine in a tabular format.

Value of the code field is API response code i.e. can be either 2XX, 3XX, 4XX, 5XX.
Could someone please help ? Thanks!

Re: Splunk Append Query

ITWhisperer — Tue, 13 Feb 2024 14:23:58 GMT

You would have to share some sample events (anonymised of course) in order for us to determine why your rex command is not extracting the code for you

Re: Splunk Append Query

NishantKrishna — Tue, 13 Feb 2024 15:28:18 GMT

Re: Splunk Append Query

NishantKrishna — Tue, 13 Feb 2024 15:53:48 GMT

Logger 1 events:

Logger 2 events:

2024-02-13 13:58:24.174 INFO 54208 ---[XX_XX:xx-xxx-xxx][utor-thread-XXX] c.l.s.d.a.XXXXXXX : XXX-XXX-20000: XXX: true, XXX: XXXXXXXXXXX0305a8a3f369f518,

XXXX: 6shfsgj7601f909<LoggerName2> {notificationDetails={key=XXX, key=hXXXXXn@XX.com , key=XXXXX, key=XXX, key=donotreply@XXX.co.uk, key=XXX63801, key=XXX_20240213, key=XXX_BATCH}, templateVariables={key=XXXX7757, key=9NE, key=Mr, key=Mau}} , 583d6bc3-5e7d-4af8-a626-22db8bb50cb9

Re: Splunk Append Query

ITWhisperer — Tue, 13 Feb 2024 16:33:37 GMT

Your regex do not match your sample events, for example, the logger1 regex could look like this (assuming your example event is accurate):

Re: Splunk Append Query

NishantKrishna — Tue, 13 Feb 2024 16:48:05 GMT

field1 - time in ms

field2/field3 - mode of comms in caps letter

field4 - brand in caps letter

field5 - templateName( e.g. XX_YYYYYYY_ZZZ_XXX )

field6 - hashID

field7 - responsecode (2xx,3xx,4xx or 5xx)

Re: Splunk Append Query

ITWhisperer — Tue, 13 Feb 2024 17:01:08 GMT

Regex is a pattern matching algorithm. The problem with dummy data as you have provided is that if it doesn't accurately enough match the actual data, the regex used will not work. Please share an accurate representation of your events in a code block </> so that formatting is preserved as this is important for pattern recognition.

Re: Splunk Append Query

NishantKrishna — Tue, 13 Feb 2024 17:57:13 GMT

Attached log snippet