Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need help on joining on multiple search

bhaskar5428
Explorer
‎07-17-2024 12:45 AM

bhaskar5428_0-1721202171881.pngbhaskar5428_1-1721202206996.png

 

Hi , Please check above two screenshot , i want to join these queries in such way where i will get AppID along with coluns in first search query 

requirement is appid should come against order id from from first screen shot

 

pls suggest . . 

Labels (1)
Labels
0 Karma
Reply

bhaskar5428
Explorer
‎07-17-2024 09:25 PM

If you want i can share raw event for both queries

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-17-2024 05:26 AM

Please post the SPL as text rather than as screen shots.

It looks like the first search would become a subsearch within the second search.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

bhaskar5428
Explorer
‎07-17-2024 09:25 PM

index = app_events_sdda_core_de_prod source="/home/sdda/apps/logs/sep-app/app-json.log" level=TRACE
| fields message
| rex field=message "\"orderId\":\"(?<orderId>[^\"]+)\"},\"error\":\{\"errorCode\":\"(?<errorCode>[^\"]+)\""
| dedup orderId
| table orderId, errorCode

 

---------------------------------------------------------------------------------------------------------------------------------------

index = app_events_sdda_core_de_prod "Process transaction locally" b95d0d10-9709-4299-9d3e-8c65dd5a539d source="/home/sdda/apps/logs/sep-app/app-json.log"
|rex field=message "deliveringApplication=(?<AppID>\w+)"
|dedup AppID
|table AppID

 

Above order id i have added just for showcase purpose
actually i want SPl in such way that order id in my first SPL automatically get checks in 2nd 
and i will get three column.
Inner search kind of thing

 

pls help 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-17-2024 11:07 PM

Hi @bhaskar5428 ,

you need a correlation key that cannot be a simple string, in this case you need to extract this field:

in your case, the correlation key should be orderId, so you could run something like this:

index = app_events_sdda_core_de_prod source="/home/sdda/apps/logs/sep-app/app-json.log" level=TRACE
| rex field=message "\"orderId\":\"(?<orderId>[^\"]+)\"},\"error\":\{\"errorCode\":\"(?<errorCode>[^\"]+)\""
| fields orderId errorCode 
| dedup orderId
| table orderId, errorCode
| append [
index = app_events_sdda_core_de_prod "Process transaction locally" b95d0d10-9709-4299-9d3e-8c65dd5a539d source="/home/sdda/apps/logs/sep-app/app-json.log"
| rex field=message "deliveringApplication=(?<AppID>\w+)"
| rex "(?<orderId>\w{8}-\w{4}-\w{4}-\w{4}-\w{12})"
| dedup AppID
| table AppID orderId ]
| stats 
     values(errorCode) AS errorCode 
     values(AppID) AS AppID 
     BY orderId

This solution has only one limit: you must be sure that the second search will have less than 50,000 results, otherwise, you need a different solution

Ciao.

Giuseppe

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...