Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Add value from sub search into the result set of the main search

Joerg
Explorer
‎11-28-2021 05:42 AM

I've a sub search on an SMTP log to get all TO and FROM values together with the status. Unfortunately TO and FROM are in one log entry and TO and STATUS in a different one. Common field is the TextID. 
Simplified the log structure looks like the following for a single TextID:

 

...
{"id":null,"log":{"text":"123A: to=<T@>, status=sent"}}
{"id":null,"log":{"text":"123A: to=<T@>, status=deferred"}}
{"id":null,"log":{"text":"123A: from=<F@> to=<T@> proto=ESMTP"}}
...

 

My current search:

 

index=A 
[ search index=A "to=<"
| rex field=log.text "(?<TextID>\w+).*from=<(?<FROM>.*)> to=<(?<TO>.*)> "
| dedup TextID
| return 1000000 $TextID
]
| rex field=log.text "(?<TextID>\w+).*to=<(?<TO>.*)>.*, status=(?<STATUS>.*\))"
| table TextID TO STATUS

 

My current result:

TextIDTOSTATUS
123ATo1sent
123ATo1deferred
234BTo2sent
234BTo2delayed
345CTo3sent

 

How can I also print out the FROM which is only available in the sub search in the result set of the main search?
I already tried to resolve this with union, join, append, appendcols but was unable to get expected result. Expected result would be:

TextIDTO STATUSFROM
123ATo1sentFrom1
123ATo1deferredFrom1
234BTo2sentFrom2
234BTo2delayedFrom2
345CTo3sentFrom1


Thank you
Jörg

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-28-2021 11:43 AM 
index=A 
| rex field=log.text "(?<TextID>\w+).*from=<(?<FROM>.*)> to=<(?<TO>.*)> proto=(?<PROTO>.*)\""
| rex field=log.text "(?<TextID>\w+).*to=<(?<TO>.*)>.*, status=(?<STATUS>.*\))"
| stats values(STATUS) as STATUS values(TO) as TO values(FROM) as FROM values(PROTO) as PROTO by TextID

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-28-2021 06:06 AM

Try something like this

index=A 
| rex field=log.text "(?<TextID>\w+).*from=<(?<FROM>.*)> to=<(?<TO>.*)> "
| rex field=log.text "(?<TextID>\w+).*to=<(?<TO>.*)>.*, status=(?<STATUS>.*\))"
| stats values(STATUS) as STATUS values(TO) as TO values(FROM) as FROM by TextID
0 Karma
Reply
Solved! Jump to solution

Joerg
Explorer
‎11-28-2021 06:24 AM

Thanks @ITWhisperer unfortunately FROM is still empty.
I also have to admit that I missed to add a condition (proto=ESMTP) to my current search. This condition is essential for the sub search to return only specific entries:

index=A 
[ search index=A AND "to=<" AND "proto=ESMTP"
| rex field=log.text "(?<TextID>\w+).*from=<(?<FROM>.*)> to=<(?<TO>.*)> "
| dedup TextID
| return 1000000 $TextID
]
| rex field=log.text "(?<TextID>\w+).*to=<(?<TO>.*)>.*, status=(?<STATUS>.*\))"
| table TextID TO STATUS

 Unfortunately TextID, TO, FROM, proto are in one log entry (sub search) and TextID, TO, STATUS in a different one (main search). Common for both is the TextID, TO. 

0 Karma
Reply
Solved! Jump to solution

Joerg
Explorer
‎11-28-2021 06:56 AM

@ITWhisperer all of a sudden I got your example working and the FROM is now showing. No idea why it wasn't working the first time.  Sorry for the hassle.
But as I missed to give some important info (additional search criteria for the sub query) it also returns entries without
... "to=<" AND "proto=ESMTP"...

| rex field=log.text "(?<TextID>\w+).*from=<(?<FROM>.*)> to=<(?<TO>.*)> "

Can I somehow include additional search criteria as well similar to what I've in my sub search?

Thanks Jörg

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-28-2021 11:43 AM 
index=A 
| rex field=log.text "(?<TextID>\w+).*from=<(?<FROM>.*)> to=<(?<TO>.*)> proto=(?<PROTO>.*)\""
| rex field=log.text "(?<TextID>\w+).*to=<(?<TO>.*)>.*, status=(?<STATUS>.*\))"
| stats values(STATUS) as STATUS values(TO) as TO values(FROM) as FROM values(PROTO) as PROTO by TextID
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-28-2021 11:24 AM

You can do pretty much whatever you want in splunk 😉

If you want to restrict your results only to those that have proto=ESMTP, just extract that field, then add it as another stats to calculate and filter to include only those having ESMTP in proto field.

index=A 
| rex field=log.text "(?<TextID>\w+).*from=<(?<FROM>.*)> to=<(?<TO>.*) proto=(?<PROTO>.*)> "
| rex field=log.text "(?<TextID>\w+).*to=<(?<TO>.*)>.*, status=(?<STATUS>.*\))"
| stats values(STATUS) as STATUS values(TO) as TO values(FROM) as FROM values(PROTO) as PROTO by TextID
| search PROTO=ESMTP

 

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...