Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Forming a Subquery

hfalkmeyer
New Member
‎06-08-2017 02:05 AM

We are feeding logs from a messaging middleware into our Splunk installation. Input and output logs for this middleware are respectively being stored with sourcetype flags app_input and app_output, with each app_input/app_output pair containing a common, alphanumeric transactionid contained in square brackets. We're trying to build a single line search that will result in a listing of ALL I/O log pairs for which either the app_input or app_output contains a specified string.

Attempting to solve this, we started with sourcetype=app_* some_search | rex "\[(?<transactionid>[A-Za-z0-9]+)\]\". Now, we'd like the search to continue using each extracted transactionid.

We've tried queries w. subqueries along the lines of sourcetype=app_* [ search sourcetype=app_* some_search | rex "\[(?<transactionid>[A-Za-z0-9]+)\]" | rename transactionid as query without any apparent luck.

Any assistance would be greatly appreciated.

Thank you in advance,

Harold Falkmeyer

Tags (1)
0 Karma
Reply

DalJeanis
Legend
‎06-08-2017 07:50 AM 
sourcetype=app_* some_search 
| rex "\[(?<transactionid>[A-Za-z0-9]+)\]"
| stats values(*) as * by transactionid

... or, alternately...

sourcetype=app_* some_search 
| rex "\[(?<transactionid>[A-Za-z0-9]+)\]"
| transaction transactionid

Removed the extra slash before the final quote.
Added alternate to use transaction.

0 Karma
Reply

jordanb93
Explorer
‎06-08-2017 07:10 AM

Have you tried creating a extracted field for your transactionid?

https://docs.splunk.com/Documentation/Splunk/6.6.1/Scenarios/Extractfields

Make noticed of Part 4, building an extracted field with the field extractor tool.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Calling all Splunk developers, custom SPL builders, dashboarders, and Splunkbase app creators – the Builder ...
Top