https://community.splunk.com/t5/Splunk-Search/Extend-search-results-data-by-correlation-id-and-exclude-on/m-p/685476#M233889 <P>Hello, I have 500 HTTP messages in my access log. Also I have corresponding events from other log sources with the same correlation-id. Now I want to join the information to enhance the results.</P><P>&nbsp;</P><P>Access Log Events:</P><P>&nbsp;</P><LI-CODE lang="markup">2024-04-25T11:00:26+00:00 [info] type=access status=500 xCorrelationId=90e2a321-f522-466f-9ffa-72cbdaa1a576 .... 2024-04-25T10:15:25+00:00 [info] type=access status=500 xCorrelationId=9b1833f5-776b-44c3-92d7-d603abdfecf8 ...</LI-CODE><P>&nbsp;</P><P>Other Events:</P><P>&nbsp;</P><LI-CODE lang="markup">2024-04-25T10:15:24+00:00 xCorrelationId=9b1833f5-776b-44c3-92d7-d603abdfecf8 NoHandlerFoundException: No endpoint GET</LI-CODE><P>&nbsp;</P><P data-unlink="true">&nbsp;</P><P data-unlink="true"><SPAN class=""><SPAN class="">My actual intention is, to exclude the results from main search, if there is another event with the same correlation-id but containing specific exceptions like "<SPAN class=""><SPAN class="">NoHandlerFoundException". That means, i need a search per result from the main search.</SPAN></SPAN></SPAN></SPAN></P><P data-unlink="true"><SPAN class=""><SPAN class=""><SPAN class=""><SPAN class="">Do you know a solution for this?</SPAN></SPAN></SPAN></SPAN></P><P data-unlink="true"><SPAN class=""><SPAN class=""><SPAN class=""><SPAN class="">Thanks!</SPAN></SPAN></SPAN></SPAN></P> Thu, 25 Apr 2024 13:25:28 GMT sscholl 2024-04-25T13:25:28Z https://community.splunk.com/t5/Splunk-Search/Extend-search-results-data-by-correlation-id-and-exclude-on/m-p/685476#M233889 <P>Hello, I have 500 HTTP messages in my access log. Also I have corresponding events from other log sources with the same correlation-id. Now I want to join the information to enhance the results.</P><P>&nbsp;</P><P>Access Log Events:</P><P>&nbsp;</P><LI-CODE lang="markup">2024-04-25T11:00:26+00:00 [info] type=access status=500 xCorrelationId=90e2a321-f522-466f-9ffa-72cbdaa1a576 .... 2024-04-25T10:15:25+00:00 [info] type=access status=500 xCorrelationId=9b1833f5-776b-44c3-92d7-d603abdfecf8 ...</LI-CODE><P>&nbsp;</P><P>Other Events:</P><P>&nbsp;</P><LI-CODE lang="markup">2024-04-25T10:15:24+00:00 xCorrelationId=9b1833f5-776b-44c3-92d7-d603abdfecf8 NoHandlerFoundException: No endpoint GET</LI-CODE><P>&nbsp;</P><P data-unlink="true">&nbsp;</P><P data-unlink="true"><SPAN class=""><SPAN class="">My actual intention is, to exclude the results from main search, if there is another event with the same correlation-id but containing specific exceptions like "<SPAN class=""><SPAN class="">NoHandlerFoundException". That means, i need a search per result from the main search.</SPAN></SPAN></SPAN></SPAN></P><P data-unlink="true"><SPAN class=""><SPAN class=""><SPAN class=""><SPAN class="">Do you know a solution for this?</SPAN></SPAN></SPAN></SPAN></P><P data-unlink="true"><SPAN class=""><SPAN class=""><SPAN class=""><SPAN class="">Thanks!</SPAN></SPAN></SPAN></SPAN></P> Thu, 25 Apr 2024 13:25:28 GMT https://community.splunk.com/t5/Splunk-Search/Extend-search-results-data-by-correlation-id-and-exclude-on/m-p/685476#M233889 sscholl 2024-04-25T13:25:28Z https://community.splunk.com/t5/Splunk-Search/Extend-search-results-data-by-correlation-id-and-exclude-on/m-p/685484#M233893 <LI-CODE lang="markup">&lt;main index&gt; NOT [search &lt;other source&gt; NoHandlerFoundException | stats count by xCorrelationId | fields xCorrelationId | format]</LI-CODE><P>However, depending on how may exceptions you have, you may run into limitations as the sub-search with the format command will essentially return a long string which might be too large to be parsed in the main search.</P><P>Another way to do it is to search both sources, and correlate by xCorrelationId and exclude those xCorrelationId's which have the exception, but this still means you are retrieving both full sets of events and correlating them before you can filter out any.</P> Thu, 25 Apr 2024 14:10:29 GMT https://community.splunk.com/t5/Splunk-Search/Extend-search-results-data-by-correlation-id-and-exclude-on/m-p/685484#M233893 ITWhisperer 2024-04-25T14:10:29Z https://community.splunk.com/t5/Splunk-Search/Extend-search-results-data-by-correlation-id-and-exclude-on/m-p/685538#M233912 <P>The number of values in the subsearch cannot be too large as it will perform really badly, but one slight change to&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;subsearch is to do</P><LI-CODE lang="markup">&lt;main index&gt; NOT [ search &lt;other source&gt; NoHandlerFoundException | stats values(xCorrelationId) as search | format]</LI-CODE><P>which will perform faster. It will change the outer search from</P><LI-CODE lang="markup">&lt;main index&gt; NOT ( ( ( xCorrelationId=A OR xCorrelationId=B OR... ) ) )</LI-CODE><P>to</P><LI-CODE lang="markup">&lt;main index&gt; NOT ( ( ( A OR B OR C OR D ... ) ) )</LI-CODE><P>where A, B etc are the values or xCorrelationId</P><P>The key point is having a field name 'search' in the output rather than xCorrelationId, which changes the effect of the&nbsp;<STRONG>format</STRONG> command.</P> Fri, 26 Apr 2024 01:32:38 GMT https://community.splunk.com/t5/Splunk-Search/Extend-search-results-data-by-correlation-id-and-exclude-on/m-p/685538#M233912 bowesmana 2024-04-26T01:32:38Z