https://community.splunk.com/t5/Splunk-Search/Complex-subsearch-Need-to-extract-value-of-field-and-pipe-into/m-p/39675#M9079 <P>So I’m trying to link a couple different fields together to get the data I’m looking for, but it involves a couple steps and not sure how to put this subsearch together. I’ve been able to extract fields, but still some more steps to go. Anyway here is what I’m trying to do:</P> <P>1 - Find MID’s from lines with “<EM>Veriifcation-Fail</EM>”</P> <P>Jan 31 11:43:28 x.x.x.x mail_logs: Info: MID <EM>401106733</EM> Custom Log Entry: Verification-Fail</P> <P>2 - Then search for that same MID to find the associated ICID</P> <P>Jan 31 11:44:35 x.x.x.x mail_logs: Info: MID 1252214406 ICID 2116684223 <STRONG>From: <A href="mailto:user@company.com">user@company.com</A></STRONG> (with &lt; &gt; around email - will not come up in this editor)</P> <P>3 - Then I take the ICID and search for that</P> <P>grep <EM>2116684223</EM> logfile</P> <P>Jan 31 11:44:35 x.x.x.x maillogs: Info: New SMTP ICID <EM>2116684223</EM> interface Data 1 (10.10.10.10) address <STRONG>10.10.10.10</STRONG> reverse dns host <STRONG>host.domain.local</STRONG> verified no</P> <P>The data I need are the FROM: and the SMTP IP and HOST in <STRONG>bold</STRONG> above.</P> <P>Any help at all is appreciated. Very new to splunk, but just need nudge in the right direction.</P> <P>Thanks.</P> Thu, 21 Feb 2013 21:06:12 GMT whateverman 2013-02-21T21:06:12Z https://community.splunk.com/t5/Splunk-Search/Complex-subsearch-Need-to-extract-value-of-field-and-pipe-into/m-p/39675#M9079 <P>So I’m trying to link a couple different fields together to get the data I’m looking for, but it involves a couple steps and not sure how to put this subsearch together. I’ve been able to extract fields, but still some more steps to go. Anyway here is what I’m trying to do:</P> <P>1 - Find MID’s from lines with “<EM>Veriifcation-Fail</EM>”</P> <P>Jan 31 11:43:28 x.x.x.x mail_logs: Info: MID <EM>401106733</EM> Custom Log Entry: Verification-Fail</P> <P>2 - Then search for that same MID to find the associated ICID</P> <P>Jan 31 11:44:35 x.x.x.x mail_logs: Info: MID 1252214406 ICID 2116684223 <STRONG>From: <A href="mailto:user@company.com">user@company.com</A></STRONG> (with &lt; &gt; around email - will not come up in this editor)</P> <P>3 - Then I take the ICID and search for that</P> <P>grep <EM>2116684223</EM> logfile</P> <P>Jan 31 11:44:35 x.x.x.x maillogs: Info: New SMTP ICID <EM>2116684223</EM> interface Data 1 (10.10.10.10) address <STRONG>10.10.10.10</STRONG> reverse dns host <STRONG>host.domain.local</STRONG> verified no</P> <P>The data I need are the FROM: and the SMTP IP and HOST in <STRONG>bold</STRONG> above.</P> <P>Any help at all is appreciated. Very new to splunk, but just need nudge in the right direction.</P> <P>Thanks.</P> Thu, 21 Feb 2013 21:06:12 GMT https://community.splunk.com/t5/Splunk-Search/Complex-subsearch-Need-to-extract-value-of-field-and-pipe-into/m-p/39675#M9079 whateverman 2013-02-21T21:06:12Z https://community.splunk.com/t5/Splunk-Search/Complex-subsearch-Need-to-extract-value-of-field-and-pipe-into/m-p/39676#M9080 <P>I think this is very similar to some other questions that have nice detailed answers -- </P> <P><A href="http://splunk-base.splunk.com/answers/29172/transaction-problems-with-lots-of-events-and-multiple-fields">http://splunk-base.splunk.com/answers/29172/transaction-problems-with-lots-of-events-and-multiple-fields</A></P> <P><A href="http://splunk-base.splunk.com/answers/29489/using-transaction-with-one-to-many-relationships">http://splunk-base.splunk.com/answers/29489/using-transaction-with-one-to-many-relationships</A> </P> <P>I would check out the <CODE>transaction</CODE> command thoroughly, and just put the subsearch idea on hold for a while. Then after you feel you have a grasp for <CODE>transaction</CODE> as a tool take a look at <CODE>searchtxn</CODE>. The searchtxn command was to a significant extent created precisely to address dcid - mid - icid use cases, however I think you'll get the hang of it faster if you go slow and bone up on <CODE>transaction</CODE> first. </P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction</A></P> <P><A href="http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Searchtxn">http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Searchtxn</A></P> Fri, 22 Feb 2013 03:55:28 GMT https://community.splunk.com/t5/Splunk-Search/Complex-subsearch-Need-to-extract-value-of-field-and-pipe-into/m-p/39676#M9080 sideview 2013-02-22T03:55:28Z https://community.splunk.com/t5/Splunk-Search/Complex-subsearch-Need-to-extract-value-of-field-and-pipe-into/m-p/39677#M9081 <P>ok, thanks! I just read the transaction reference page, and I feel much more confident. Exactly what I was looking for. Let's hope it works well though. I will update with my results. Thanks!</P> Fri, 22 Feb 2013 07:27:08 GMT https://community.splunk.com/t5/Splunk-Search/Complex-subsearch-Need-to-extract-value-of-field-and-pipe-into/m-p/39677#M9081 whateverman 2013-02-22T07:27:08Z