We are feeding logs from a messaging middleware into our Splunk installation. Input and output logs for this middleware are respectively being stored with sourcetype
flags app_input
and app_output
, with each app_input
/app_output
pair containing a common, alphanumeric transactionid
contained in square brackets. We're trying to build a single line search that will result in a listing of ALL I/O log pairs for which either the app_input
or app_output
contains a specified string.
Attempting to solve this, we started with sourcetype=app_* some_search | rex "\[(?<transactionid>[A-Za-z0-9]+)\]\"
. Now, we'd like the search to continue using each extracted transactionid
.
We've tried queries w. subqueries along the lines of sourcetype=app_* [ search sourcetype=app_* some_search | rex "\[(?<transactionid>[A-Za-z0-9]+)\]" | rename transactionid as query
without any apparent luck.
Any assistance would be greatly appreciated.
Thank you in advance,
Harold Falkmeyer
sourcetype=app_* some_search
| rex "\[(?<transactionid>[A-Za-z0-9]+)\]"
| stats values(*) as * by transactionid
... or, alternately...
sourcetype=app_* some_search
| rex "\[(?<transactionid>[A-Za-z0-9]+)\]"
| transaction transactionid
Removed the extra slash before the final quote.
Added alternate to use transaction
.
Have you tried creating a extracted field for your transactionid
?
https://docs.splunk.com/Documentation/Splunk/6.6.1/Scenarios/Extractfields
Make noticed of Part 4, building an extracted field with the field extractor tool.