Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

want to use field value of 1st search in join search query to filter event of search query inside join.

Abhineet
Loves-to-Learn Everything
‎07-03-2023 05:17 AM

Hi,

Looking for splunk query to use field value of 1st search in join search query to filter event of search query inside join.

Query:

index=lsc_db2_qa_index sourcetype=lsc_db2_ewm_qa_outbound
| dedup EDIDCDOCNUM
| rex field=_raw "(?<dateTime>[\d\-\s:]+).\d{3}, TIME.*"
| rename EDIDCDOCNUM as ewmIdoc EDIDCSTATUS as ewmIdocStatus MESTYP as ewmmesType dateTime as ewmCreateTime
| table ewmIdoc ewmIdocStatus ewmmesType ewmCreateTime
| join type=outer ewmIdoc
[search index=webmethods_qa5555_index sourcetype=transactions_qa5555_src
| search sender="AMAT_SAP_EWM" AND receiver="EXACTA"
| rex field=_raw "(?<wmDateTime>[\d\-:\s]+) .*"
| rex field=messageId "(?<docNum>\d+)\|\|(?<whoNum>.*)"
| rex field=messageId "(?<docNum>\d+)"
| eval wmcreateDateTime= if( like( message, "%request from EWM%" ), wmDateTime,"")
| eval wmconfirmDateTime=if( like( message, "%request sent to Exacta successfully%" ), wmDateTime,"")
| eval wmsentDateTime=if( like( message, "%ready to send to Exacta%" ), wmDateTime,"")
| lookup wminterface_mapping.csv wmInterface as interface OUTPUT Interface
| stats values(Interface) as Interface values(whoNum) as whoNum values(wmcreateDateTime) AS wmcreateDateTime values(wmconfirmDateTime) AS wmconfirmDateTime values(wmsentDateTime) AS wmsentDateTime by docNum
| rename docNum as ewmIdoc]
| eval ewmIdoc=ltrim(tostring(ewmIdoc),"0")
| fields ewmIdoc ewmIdocStatus ewmmesType ewmCreateTime whoNum,Interface,wmcreateDateTime,wmconfirmDateTime,wmsentDateTime
| join type=outer whoNum
[search index=lsc_exacta_qa_index source="D:\\ProgramData\\Bastian Software\\Logs\\ExactaImportAdapter\\ExactaImportAdapter*"
| rex field=_raw ".* ORDER_NAME=\"(?<imaWho>[\d-]+)\" .*"
| rex field=_raw ".*JSON received for product import:.*\"product\":\"(?<imaWho>[\d-]+)\",.*"
| rex field=_raw ".*JSON received for putaway import:.*\"who\":\"(?<imaWho>[\d-]+)\",.*"
| eval exactaRecTime = strftime(_time,"%Y-%m-%d %H:%M:%S")
| dedup imaWho sortby +exactaRecTime
| eval exactaInfStatus = if(exactaRecTime != "","Success",NA)
| table imaWho exactaRecTime exactaInfStatus
| join type=outer imaWho [search index=lsc_exacta_qa_index source="D:\\ProgramData\\Bastian Software\\Logs\\ExactaImport\\ExactaImport.txt"
| rex field=_raw ".* Order \[(?<imWho>[\d-]+) - .*\] successfully assigned.*"
| rex field=_raw "\.* Bastian\.Exacta\.Interface\.Processes\.ExactaProductTranslatorBase - Validation of Message Successfull, Prepare to Insert\n.*ROWS ONLY;\@p0 = \'(?<imWho>[\d-]+)\'.*\[.*"
| rex field=_raw ".*\/line id \[(?<imWho>[\d-]+) -.* was cancelled successfully.\n.*"
| rex field=_raw ".*\[Import Pick Orders\].*ROWS ONLY;@p0 = \'(?<imWho>[\d-]+)\' \[[\S\s]*- Messages processed successfully.*"
| eval exactaDocTime = strftime(_time, "%Y-%m-%d %H:%M:%S")
| search imWho !=""
| eval exactaDocStatus = if(exactaDocTime != "","Created",NA)
| table imWho exactaDocTime exactaDocStatus
| rename imWho as imaWho]
| table imaWho exactaRecTime exactaDocTime exactaInfStatus exactaDocStatus
| rename imaWho as whoNum]
| search Interface = "*"
| rename whoNum as "WHO/PRODUCT"
| table ewmIdoc ewmIdocStatus ewmmesType ewmCreateTime "WHO/PRODUCT",Interface,wmcreateDateTime, wmsentDateTime, wmconfirmDateTime, exactaRecTime exactaDocTime exactaInfStatus exactaDocStatus

 

 

OUTPUT: 

Abhineet_0-1688385941125.png

looking  to execute  above red highlighted search query on events whose "_time" field value is equal to or greater than field value "wmsentDateTime" which we got from search query highlighted in green.

 

Thanks

Abhineet Kumar

Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-04-2023 05:33 AM

Hi

When you are attaching SPL code or other configurations, please use </> token from edit options! That way it's much easier to read and we can sure that that it what you have paste! You should also use Ctrl/Cmd+F to get it formatted. See above. Unfortunately you lost colors when you use code block 😞

 

index=lsc_db2_qa_index sourcetype=lsc_db2_ewm_qa_outbound 
| dedup EDIDCDOCNUM 
| rex field=_raw "(?<dateTime>[\d\-\s:]+).\d{3}, TIME.*" 
| rename EDIDCDOCNUM as ewmIdoc EDIDCSTATUS as ewmIdocStatus MESTYP as ewmmesType dateTime as ewmCreateTime 
| table ewmIdoc ewmIdocStatus ewmmesType ewmCreateTime 
| join type=outer ewmIdoc 
    [ search index=webmethods_qa5555_index sourcetype=transactions_qa5555_src 
    | search sender="AMAT_SAP_EWM" AND receiver="EXACTA" 
    | rex field=_raw "(?<wmDateTime>[\d\-:\s]+) .*" 
    | rex field=messageId "(?<docNum>\d+)\|\|(?<whoNum>.*)" 
    | rex field=messageId "(?<docNum>\d+)" 
    | eval wmcreateDateTime= if( like( message, "%request from EWM%" ), wmDateTime,"") 
    | eval wmconfirmDateTime=if( like( message, "%request sent to Exacta successfully%" ), wmDateTime,"") 
    | eval wmsentDateTime=if( like( message, "%ready to send to Exacta%" ), wmDateTime,"") 
    | lookup wminterface_mapping.csv wmInterface as interface OUTPUT Interface 
    | stats values(Interface) as Interface values(whoNum) as whoNum values(wmcreateDateTime) AS wmcreateDateTime values(wmconfirmDateTime) AS wmconfirmDateTime values(wmsentDateTime) AS wmsentDateTime by docNum 
    | rename docNum as ewmIdoc] 
| eval ewmIdoc=ltrim(tostring(ewmIdoc),"0") 
| fields ewmIdoc ewmIdocStatus ewmmesType ewmCreateTime whoNum,Interface,wmcreateDateTime,wmconfirmDateTime,wmsentDateTime 
| join type=outer whoNum 
    [ search index=lsc_exacta_qa_index source="D:\\ProgramData\\Bastian Software\\Logs\\ExactaImportAdapter\\ExactaImportAdapter*" 
    | rex field=_raw ".* ORDER_NAME=\"(?<imaWho>[\d-]+)\" .*" 
    | rex field=_raw ".*JSON received for product import:.*\"product\":\"(?<imaWho>[\d-]+)\",.*" 
    | rex field=_raw ".*JSON received for putaway import:.*\"who\":\"(?<imaWho>[\d-]+)\",.*" 
    | eval exactaRecTime = strftime(_time,"%Y-%m-%d %H:%M:%S") 
    | dedup imaWho sortby +exactaRecTime 
    | eval exactaInfStatus = if(exactaRecTime != "","Success",NA) 
    | table imaWho exactaRecTime exactaInfStatus 
    | join type=outer imaWho 
        [ search index=lsc_exacta_qa_index source="D:\\ProgramData\\Bastian Software\\Logs\\ExactaImport\\ExactaImport.txt" 
        | rex field=_raw ".* Order \[(?<imWho>[\d-]+) - .*\] successfully assigned.*" 
        | rex field=_raw "\.* Bastian\.Exacta\.Interface\.Processes\.ExactaProductTranslatorBase - Validation of Message Successfull, Prepare to Insert\n.*ROWS ONLY;\@p0 = \'(?<imWho>[\d-]+)\'.*\[.*" 
        | rex field=_raw ".*\/line id \[(?<imWho>[\d-]+) -.* was cancelled successfully.\n.*" 
        | rex field=_raw ".*\[Import Pick Orders\].*ROWS ONLY;@p0 = \'(?<imWho>[\d-]+)\' \[[\S\s]*- Messages processed successfully.*" 
        | eval exactaDocTime = strftime(_time, "%Y-%m-%d %H:%M:%S") 
        | search imWho !="" 
        | eval exactaDocStatus = if(exactaDocTime != "","Created",NA) 
        | table imWho exactaDocTime exactaDocStatus 
        | rename imWho as imaWho] 
    | table imaWho exactaRecTime exactaDocTime exactaInfStatus exactaDocStatus 
    | rename imaWho as whoNum] 
| search Interface = "*" 
| rename whoNum as "WHO/PRODUCT" 
| table ewmIdoc ewmIdocStatus ewmmesType ewmCreateTime "WHO/PRODUCT",Interface,wmcreateDateTime, wmsentDateTime, wmconfirmDateTime, exactaRecTime exactaDocTime exactaInfStatus exactaDocStatus

 

 If I look that correctly you have wrong field name (imaWhoon you red block. On join you mast have same column on join (whoNum) and sub search! Probably you will have the same situation on the next join after you have fixed this first issue!

Anyhow join is not a preferred method to join events on Splunk. You should read the next articles and conf presentation to do better / more powerful joins.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...