How to make a search using a field extracted from ...

MPJ44 · ‎11-15-2022

I'm using Splunk to collect data about a collection of logs. A log returned from Splunk might look like:

type: user creation

transaction_id:1234

message=process started

Now, I want to count how many time an error has been linked to a transaction for user_creation, without knowing the transaction in advance. For example, this error might be a log:

type: error

transaction_id:1234

message=process abord

I'm trying to use the rex command to isolate the transaction_id from the first log, then pipe it to find an error with the same transaction_id (to get a count of how many time an error has been associated with the process user creation), but my request seems to considered the first part of my request instead of just using the return to pipe to the second request. Here is what I have to far:

type = "user creation" | rex field= (?<transaction_id>[^-]+)"|  search transaction_id=field message="process abord" | stats count as total_error_user_creation

Anyone could suggest some improvements to get the desired result?

ITWhisperer · ‎11-15-2022

Splunk is processing a pipeline of events, so you might want to consider doing it something like this:

``` Extract type if not already extracted (adjust for your actual events) ``
| rex "type: (?<type>.+$)"
``` Extract transaction id if not already extracted (adjust for your actual events) ```
| rex "transaction_id: (?<transaction_id>[^-]+)"
``` Extract abort message specifically (adjust for your actual events) ```
| rex "message= \"(?<process_abord>process abord)\""
``` Add process_abord if it exists to all events with the same transaction id ```
| eventstats values(process_abord) as process_abord by transaction_id
``` Just keep the user creation event where the transaction has aborted ```
| where type="user creation" AND isnotnull(process_abord)
``` Count remaining events ```
| stats count as total_error_user_creation

MPJ44 · ‎11-15-2022

Thanks for the suggestion, but I feel like I'm lacking something in my understanding of the provided answer because I don't succeed in customizing the request to adapt it to my problem.

I guess I could simplify the question to this: If a request return a log containing a field transaction_id:1234, how to store 1234 in a variable to reuse it in another search to find all log with that id. I probably will be able to complete the other steps.

ITWhisperer · ‎11-15-2022

Without concrete examples, it is difficult to come up with concrete solutions, so, in abstract form:

It depends on what you mean by "another search" - if the search is from the same set of events e.g. all from the same sourcetype, then, from you description, you already have the transaction id in a field. In this context, the field is the variable. By extracting another field, which only holds the error message on events which have that particular message using the rex command, you will have a number of events for the same transaction id, some with the type of user creation and some with type error and the extra field with the error message in. Using the eventstats command, you can add the extra field to all the events with the matching transaction id. Then, when you filter with the where command, you will be picking only those events with the user creation type, which also have another event with the same transaction id but have the error message. This is essentially what the first solution is trying to do.

If the other search is from a different sourcetype, you could do something like this

<search criteria for user creation> [search <search criteria for error message> | fields transaction_id | format]
| stats count

How to make a search using a field extracted from another search?

development

using Splunk Cloud

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms