topic How to get a variable from first search and pass to subsearch? in Splunk Search

How to get a variable from first search and pass to subsearch?

amylala — Mon, 23 Nov 2015 11:11:47 GMT

There are 2 kinds of log:
one is error log
the other is access log.

In error log, there is a field requestUrl. value format is https://google.com/home.html.
In access log, there is field requestPath, value format is /home.html.

I want to combine them with requestUrl and requestPath, and then count the error rate.

The query I used likes:

index=app..eventName=xxx| rex field=requestUrl "https://google.com(?<**path**>.*)" | stats count as failureCount | appendcols [search index=app .. requestPath=$**path**$| stats count as total]

The variable **path** cannot be passed to requestPath in subsearch. I can only get total=0.

Anyone know how to get the path from the first search passed to subsearch?

Re: How to get a variable from first search and pass to subsearch?

jplumsdaine22 — Mon, 23 Nov 2015 12:36:07 GMT

You may be better off doing this backwards.

index=app [index=app..eventName=xxx| rex field=requestUrl "https://google.com(?.*)" |fields requestPath] |stats count as Total count(eval(eventName="xxx")) as Failures by requestPath

Re: How to get a variable from first search and pass to subsearch?

woodcock — Fri, 27 Nov 2015 21:47:31 GMT

Generally, this is done with the map command but that would be way too inefficient for this use-case.

Try this (put your special stuff instead of ...😞

index=app ... | rex field=requestUrl "([^/]+://)?[^/]+(?<commonPath>/.*)"
| eval commonPath=coalesce(commonPath, requestPath)
| stats count(eval(isnotnull(requestUrl))) AS numErrors count(eval(isnotnull(requestPathl))) AS numHits by commonPath
| where numErrors>0

This shows you only those path values that have errors and shows both a hit-count and error-count.

Re: How to get a variable from first search and pass to subsearch?

amylala — Mon, 30 Nov 2015 04:30:57 GMT

Thanks jplumsdaine22 & woodcock.
I cannot use requestUrl/eventName to count numErrors directly. I need to filter errors with other fields, like level=error. And this field exists only in event log not in access log.

So I decide to use map command even it is inefficient. Thanks for your help. 🙂

Re: How to get a variable from first search and pass to subsearch?

amylala — Mon, 30 Nov 2015 10:41:24 GMT

I use following query. It works if base search result is not null. But get error if base search result is null - Error in 'map': Did not find value for required attribute 'commonPath'.
What can I do to skip the subsearch and set successRate to 100 when no numError?

index=app .. eventName=xxx| rex field=requestUrl "([^/]+://)?[^/]+(?/.*)" |stats count as numError by commonPath| map search="search index=app .. requestPath=$commonPath$| stats count as total by requestPath | eval successRate=(numTotal - $numError$)/numTotal*100 "

Re: How to get a variable from first search and pass to subsearch?

woodcock — Mon, 14 Dec 2015 02:39:15 GMT

Also, you cannot use asterisks ( * ) in a field name. Maybe that is the only problem that you are having?