Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extract value from first index and search in second index

ank15july96
Engager
‎02-02-2021 11:13 AM

Hi, I'm new to splunk so pardon if its a straightforward query

I want to extract userIds from my first index and check how many does not exist in second index

Example: index=auth-app would have field like  UID: H0XF7PQU1

So, I want to extract H0XF7PQU1 from first query and check if it exist in second query (index=main-app) and get count of ids that exist one first index but not in second. 

Conceptually, I want to get count of users that passed authentication (first index) but still did not make it to main application (second index)

Labels (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎02-02-2021 01:51 PM

I am not sure, but, lets try this once...

index=main-app OR (index=auth-app "createsession") | rex field=_raw "UID: (?<uid>......)" | stats count(uid)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎02-02-2021 12:06 PM

Hi.. do you know if UID is extracted?

pls try

(index=auth-app OR index=main-app) UID

or, simply please try..

(index=auth-app OR index=main-app) H0XF7PQU1

update us your results, thanks.

0 Karma
Reply
Solved! Jump to solution

ank15july96
Engager
‎02-02-2021 12:21 PM

Its a bit trickier than that
Here's my first query

index=auth-app "createSession" | rex field=_raw "UID: (?<uid>.*)"

And second query should be something like index=main-app uid | stats count

How do i put above two into what you suggested -- (index=auth-app OR index=main-app) UID | stats count

0 Karma
Reply
Solved! Jump to solution

ank15july96
Engager
‎02-02-2021 12:50 PM

Okay, I tried this and this sorta works but one issue
Query:

index=main-app [search index=auth-app "createsession" | rex field=_raw "UID: (?<uid>......)" | table uid ] | stats count

The subquery results in something like this UID="XYZ" OR UID="ABC" etc so overall query becomes likes this

index=main-app UID="XYZ" OR UID="ABC"

But I just want to search as keyword in second index not as a UID field. So basically like this

index=main-app "XYZ" OR "ABC" 

How can I achieve this?

0 Karma
Reply
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎02-02-2021 01:51 PM

I am not sure, but, lets try this once...

index=main-app OR (index=auth-app "createsession") | rex field=_raw "UID: (?<uid>......)" | stats count(uid)

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎02-02-2021 01:44 PM

Please try...

index=main-app | join uid [search index=auth-app "createsession" | rex field=_raw "UID: (?<uid>......)" | fields uid ] | stats count

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...