topic Re: Extracting id field from one event and looking for this id in another event in Splunk Search

Extracting id field from one event and looking for this id in another event

kdulhan — Thu, 31 Aug 2017 13:35:45 GMT

Hi All,

I have the below two event logs:
Event1:
ns=app1, id=12,Error='400', Service='CallGetAccount'

Event2:
ns=app1, id=12,', Service='CallGetRetro', Account='12345'

Now I have the below Search query =>

ns=app1 Error='400'
Above gives me the Event 1 where I have an error code of 400.

Kindly let me know how to fetch id from Event 1 and then search Event 2 with that id and if found, add 1 to Output field 1 and if not found, add 1 to Output field 2 and get the count displayed in table format .

Thank you!

Re: Extracting id field from one event and looking for this id in another event

richgalloway — Thu, 31 Aug 2017 15:47:40 GMT

Perhaps this will help get you started.

ns=app1 | transaction id startswith=eval(Error='400') | eval OutputField1=if(eventcount==2, 1, 0), OutputField2=if(eventcount==1, 1, 0) | stats sum(OutputField1) as OutputField1 sum(OutputField2) as OutputField2 | table OutputField2 OutputField2

Re: Extracting id field from one event and looking for this id in another event

kdulhan — Thu, 31 Aug 2017 16:13:26 GMT

Thank you.

Event1:
ns=app1, id=12, [ErrorResponse] Service='CallGetAccount'

Event2:
ns=app1, id=12,', Service='CallGetRetro', Account='12345'

Now I have the below Search query =>

ns=app1 ErrorResponse
Above gives me the Event 1 where I have an error.

Kindly let me know how to fetch id from Event 1 i.e. id=12 and then search Event 2 with that id and if found, add 1 to Output field 1 and if not found, add 1 to Output field 2 and get the count displayed in table format .

Thank you

Re: Extracting id field from one event and looking for this id in another event

kdulhan — Fri, 01 Sep 2017 10:26:50 GMT

In order to search for the error records, I use :
ns=app1 Service='trigger1' Id!='temp-100' | Search ErrorResponse

Here I get an event like:
timestamp ns=app1 [ErrorResponse] Service='trigger1' id=105 ActNo=1234

Now I have to fetch this ActNo field and search with only ActNo=1234. It will list many events and in those I have to look for a field appId = 'New1'. If New1, I have to add it to a counter1 else counter2.

Thank you!

Re: Extracting id field from one event and looking for this id in another event

richgalloway — Fri, 01 Sep 2017 13:12:43 GMT

That is different from your original question. It's difficult to provide an answer when the question changes.

Re: Extracting id field from one event and looking for this id in another event

kdulhan — Fri, 01 Sep 2017 13:18:05 GMT

My bad. I misread/misunderstood the logs. Kindly provide the guidance for my recent posted query.

Re: Extracting id field from one event and looking for this id in another event

woodcock — Sun, 03 Sep 2017 06:27:47 GMT

Like this:

ns=app1 [ns=app1 Error='400'  | table id]
| stats count BY id
| search count>1
| stats count

Re: Extracting id field from one event and looking for this id in another event

richgalloway — Wed, 06 Sep 2017 12:56:16 GMT

Try this.

ns=app1 appId=* [ns=app1 Service='trigger1' Id!='temp-100' | Search ErrorResponse | return ActNo]
| stats sum(eval(appId=='New1')) as counter1 sum(eval(appId!='New1')) as counter2