Splunk Search

Extracting id field from one event and looking for this id in another event


Hi All,

I have the below two event logs:
ns=app1, id=12,Error='400', Service='CallGetAccount'

ns=app1, id=12,', Service='CallGetRetro', Account='12345'

Now I have the below Search query =>

ns=app1 Error='400'
Above gives me the Event 1 where I have an error code of 400.

Kindly let me know how to fetch id from Event 1 and then search Event 2 with that id and if found, add 1 to Output field 1 and if not found, add 1 to Output field 2 and get the count displayed in table format .

Thank you!

0 Karma

Esteemed Legend

Like this:

ns=app1 [ns=app1 Error='400'  | table id]
| stats count BY id
| search count>1
| stats count
0 Karma


Perhaps this will help get you started.

ns=app1 | transaction id startswith=eval(Error='400') | eval OutputField1=if(eventcount==2, 1, 0), OutputField2=if(eventcount==1, 1, 0) | stats sum(OutputField1) as OutputField1 sum(OutputField2) as OutputField2 | table OutputField2 OutputField2
If this reply helps you, Karma would be appreciated.
0 Karma


Thank you.

ns=app1, id=12, [ErrorResponse] Service='CallGetAccount'

ns=app1, id=12,', Service='CallGetRetro', Account='12345'

Now I have the below Search query =>

ns=app1 ErrorResponse
Above gives me the Event 1 where I have an error.

Kindly let me know how to fetch id from Event 1 i.e. id=12 and then search Event 2 with that id and if found, add 1 to Output field 1 and if not found, add 1 to Output field 2 and get the count displayed in table format .

Thank you

0 Karma


In order to search for the error records, I use :
ns=app1 Service='trigger1' Id!='temp-100' | Search ErrorResponse

Here I get an event like:
timestamp ns=app1 [ErrorResponse] Service='trigger1' id=105 ActNo=1234

Now I have to fetch this ActNo field and search with only ActNo=1234. It will list many events and in those I have to look for a field appId = 'New1'. If New1, I have to add it to a counter1 else counter2.

Thank you!

0 Karma


That is different from your original question. It's difficult to provide an answer when the question changes.

If this reply helps you, Karma would be appreciated.
0 Karma


My bad. I misread/misunderstood the logs. Kindly provide the guidance for my recent posted query.

0 Karma


Try this.

ns=app1 appId=* [ns=app1 Service='trigger1' Id!='temp-100' | Search ErrorResponse | return ActNo]
| stats sum(eval(appId=='New1')) as counter1 sum(eval(appId!='New1')) as counter2
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...