- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Extract value from first index and search in s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I'm new to splunk so pardon if its a straightforward query
I want to extract userIds from my first index and check how many does not exist in second index
Example: index=auth-app would have field like UID: H0XF7PQU1
So, I want to extract H0XF7PQU1 from first query and check if it exist in second query (index=main-app) and get count of ids that exist one first index but not in second.
Conceptually, I want to get count of users that passed authentication (first index) but still did not make it to main application (second index)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not sure, but, lets try this once...
index=main-app OR (index=auth-app "createsession") | rex field=_raw "UID: (?<uid>......)" | stats count(uid)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi.. do you know if UID is extracted?
pls try
(index=auth-app OR index=main-app) UID
or, simply please try..
(index=auth-app OR index=main-app) H0XF7PQU1
update us your results, thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Its a bit trickier than that
Here's my first query
index=auth-app "createSession" | rex field=_raw "UID: (?<uid>.*)"
And second query should be something like index=main-app uid | stats count
How do i put above two into what you suggested -- (index=auth-app OR index=main-app) UID | stats count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, I tried this and this sorta works but one issue
Query:
index=main-app [search index=auth-app "createsession" | rex field=_raw "UID: (?<uid>......)" | table uid ] | stats count
The subquery results in something like this UID="XYZ" OR UID="ABC" etc so overall query becomes likes this
index=main-app UID="XYZ" OR UID="ABC"
But I just want to search as keyword in second index not as a UID field. So basically like this
index=main-app "XYZ" OR "ABC"
How can I achieve this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not sure, but, lets try this once...
index=main-app OR (index=auth-app "createsession") | rex field=_raw "UID: (?<uid>......)" | stats count(uid)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please try...
index=main-app | join uid [search index=auth-app "createsession" | rex field=_raw "UID: (?<uid>......)" | fields uid ] | stats count
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
