Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Forming a Subquery

hfalkmeyer
New Member
‎06-08-2017 02:05 AM

We are feeding logs from a messaging middleware into our Splunk installation. Input and output logs for this middleware are respectively being stored with sourcetype flags app_input and app_output, with each app_input/app_output pair containing a common, alphanumeric transactionid contained in square brackets. We're trying to build a single line search that will result in a listing of ALL I/O log pairs for which either the app_input or app_output contains a specified string.

Attempting to solve this, we started with sourcetype=app_* some_search | rex "\[(?<transactionid>[A-Za-z0-9]+)\]\". Now, we'd like the search to continue using each extracted transactionid.

We've tried queries w. subqueries along the lines of sourcetype=app_* [ search sourcetype=app_* some_search | rex "\[(?<transactionid>[A-Za-z0-9]+)\]" | rename transactionid as query without any apparent luck.

Any assistance would be greatly appreciated.

Thank you in advance,

Harold Falkmeyer

Tags (1)
0 Karma
Reply

DalJeanis
Legend
‎06-08-2017 07:50 AM 
sourcetype=app_* some_search 
| rex "\[(?<transactionid>[A-Za-z0-9]+)\]"
| stats values(*) as * by transactionid

... or, alternately...

sourcetype=app_* some_search 
| rex "\[(?<transactionid>[A-Za-z0-9]+)\]"
| transaction transactionid

Removed the extra slash before the final quote.
Added alternate to use transaction.

0 Karma
Reply

jordanb93
Explorer
‎06-08-2017 07:10 AM

Have you tried creating a extracted field for your transactionid?

https://docs.splunk.com/Documentation/Splunk/6.6.1/Scenarios/Extractfields

Make noticed of Part 4, building an extracted field with the field extractor tool.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...