Splunk Dev

How to retrieve specific Splunk query response

msg4sunil
Path Finder

Team,

index sourcetype=app_* some_search | rex "\[(?<transactionid>[A-Za-z0-9]+)\]" | rename transactionid as q|table q|format

returns me

( ( q="100223608103" ) OR ( q="D202204021000676" ) )

 

How do I get the below instead?

( ( "100223608103" ) OR ("D202204021000676" ) )

 

Thank you

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| rename transactionid as query

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| rename transactionid as query

msg4sunil
Path Finder

Lovely thank you.  Just now figured out that even the below works

| rename transactionid as search

 

Source: https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Changetheformatofsubsearchresults

The following search looks for a value in the clID field that is associated with a name token or field value. The clID value is then used to search for several sources.

index=myindex [search index=myindex host=myhost MyName | top limit=1 clID | fields clID ]

The subsearch returns the field and value in the format: ( (clID="0050834ja") )

To return only the value, 0050834ja, rename the clID field to search in the subsearch. For example:

index=myindex [search index=myindex host=myhost MyName | top limit=1 clID | fields clID | rename clID as search ]

When the field is named search or query, the field name is dropped and the implicit | format command at the end of the subsearch returns only the value.

If you return multiple values, such as specifying ...| top limit=3, the subsearch returns each of the values with the boolean OR operator between the values. For example, if the previous search example used ...| top limit=3, the values returned from the subsearch are ( ( value1 ) OR ( value2 ) OR ( value3 ) ).

 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

I always forget 'query' keyword

Here's the doco on those keywords

https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/Search/Changetheformatofsubsearchresults

 

bowesmana
SplunkTrust
SplunkTrust

Not exactly what you want, but replace format with

| return 999 $q

 that will give you 

(100223608103) OR (D202204021000676)

 

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...