Splunk Search

Extracting id field from one event and looking for this id in another event

kdulhan
Explorer

Hi All,

I have the below two event logs:
Event1:
ns=app1, id=12,Error='400', Service='CallGetAccount'

Event2:
ns=app1, id=12,', Service='CallGetRetro', Account='12345'

Now I have the below Search query =>

ns=app1 Error='400'
Above gives me the Event 1 where I have an error code of 400.

Kindly let me know how to fetch id from Event 1 and then search Event 2 with that id and if found, add 1 to Output field 1 and if not found, add 1 to Output field 2 and get the count displayed in table format .

Thank you!

0 Karma

woodcock
Esteemed Legend

Like this:

ns=app1 [ns=app1 Error='400'  | table id]
| stats count BY id
| search count>1
| stats count
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Perhaps this will help get you started.

ns=app1 | transaction id startswith=eval(Error='400') | eval OutputField1=if(eventcount==2, 1, 0), OutputField2=if(eventcount==1, 1, 0) | stats sum(OutputField1) as OutputField1 sum(OutputField2) as OutputField2 | table OutputField2 OutputField2
---
If this reply helps you, Karma would be appreciated.
0 Karma

kdulhan
Explorer

Thank you.

Event1:
ns=app1, id=12, [ErrorResponse] Service='CallGetAccount'

Event2:
ns=app1, id=12,', Service='CallGetRetro', Account='12345'

Now I have the below Search query =>

ns=app1 ErrorResponse
Above gives me the Event 1 where I have an error.

Kindly let me know how to fetch id from Event 1 i.e. id=12 and then search Event 2 with that id and if found, add 1 to Output field 1 and if not found, add 1 to Output field 2 and get the count displayed in table format .

Thank you

0 Karma

kdulhan
Explorer

In order to search for the error records, I use :
ns=app1 Service='trigger1' Id!='temp-100' | Search ErrorResponse

Here I get an event like:
timestamp ns=app1 [ErrorResponse] Service='trigger1' id=105 ActNo=1234

Now I have to fetch this ActNo field and search with only ActNo=1234. It will list many events and in those I have to look for a field appId = 'New1'. If New1, I have to add it to a counter1 else counter2.

Thank you!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That is different from your original question. It's difficult to provide an answer when the question changes.

---
If this reply helps you, Karma would be appreciated.
0 Karma

kdulhan
Explorer

My bad. I misread/misunderstood the logs. Kindly provide the guidance for my recent posted query.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this.

ns=app1 appId=* [ns=app1 Service='trigger1' Id!='temp-100' | Search ErrorResponse | return ActNo]
| stats sum(eval(appId=='New1')) as counter1 sum(eval(appId!='New1')) as counter2
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...