Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extracting id field from one event and looking for this id in another event

kdulhan
Explorer
‎08-31-2017 06:35 AM

Hi All,

I have the below two event logs:
Event1:
ns=app1, id=12,Error='400', Service='CallGetAccount'

Event2:
ns=app1, id=12,', Service='CallGetRetro', Account='12345'

Now I have the below Search query =>

ns=app1 Error='400'
Above gives me the Event 1 where I have an error code of 400.

Kindly let me know how to fetch id from Event 1 and then search Event 2 with that id and if found, add 1 to Output field 1 and if not found, add 1 to Output field 2 and get the count displayed in table format .

Thank you!

0 Karma
Reply

woodcock
Esteemed Legend
‎09-02-2017 11:27 PM

Like this:

ns=app1 [ns=app1 Error='400'  | table id]
| stats count BY id
| search count>1
| stats count
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-31-2017 08:47 AM

Perhaps this will help get you started.

ns=app1 | transaction id startswith=eval(Error='400') | eval OutputField1=if(eventcount==2, 1, 0), OutputField2=if(eventcount==1, 1, 0) | stats sum(OutputField1) as OutputField1 sum(OutputField2) as OutputField2 | table OutputField2 OutputField2
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

kdulhan
Explorer
‎08-31-2017 09:13 AM

Thank you.

Event1:
ns=app1, id=12, [ErrorResponse] Service='CallGetAccount'

Event2:
ns=app1, id=12,', Service='CallGetRetro', Account='12345'

Now I have the below Search query =>

ns=app1 ErrorResponse
Above gives me the Event 1 where I have an error.

Kindly let me know how to fetch id from Event 1 i.e. id=12 and then search Event 2 with that id and if found, add 1 to Output field 1 and if not found, add 1 to Output field 2 and get the count displayed in table format .

Thank you

0 Karma
Reply

kdulhan
Explorer
‎09-01-2017 03:26 AM

In order to search for the error records, I use :
ns=app1 Service='trigger1' Id!='temp-100' | Search ErrorResponse

Here I get an event like:
timestamp ns=app1 [ErrorResponse] Service='trigger1' id=105 ActNo=1234

Now I have to fetch this ActNo field and search with only ActNo=1234. It will list many events and in those I have to look for a field appId = 'New1'. If New1, I have to add it to a counter1 else counter2.

Thank you!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-01-2017 06:12 AM

That is different from your original question. It's difficult to provide an answer when the question changes.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

kdulhan
Explorer
‎09-01-2017 06:18 AM

My bad. I misread/misunderstood the logs. Kindly provide the guidance for my recent posted query.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-06-2017 05:56 AM

Try this.

ns=app1 appId=* [ns=app1 Service='trigger1' Id!='temp-100' | Search ErrorResponse | return ActNo]
| stats sum(eval(appId=='New1')) as counter1 sum(eval(appId!='New1')) as counter2
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...