I am fairly new to Splunk queries.
I have below mentioned logs:
INFO [HTTP-120]: 2017-08-02T18:00:03,157 - transactionID=12345 - "Internal Server Error"
INFO [HTTP-120]: 2017-08-02T18:00:02,110 - transactionID=12345 - "Foo"
INFO [HTTP-120]: 2017-08-02T18:00:01,100 - transactionID=12345 - "Bar"
INFO [HTTP-120]: 2017-08-02T18:00:03,157 - transactionID=45678 - "Success"
INFO [HTTP-120]: 2017-08-02T18:00:02,110 - transactionID=45678 - "Foo"
INFO [HTTP-120]: 2017-08-02T18:00:01,100 - transactionID=45678 - "Bar"
I need to search for events which has "Internal Server Error" then extract the transactionID and do a new search to print all the events which has that transactionID.
So my output should be
INFO [HTTP-120]: 2017-08-02T18:00:03,157 - transactionID=12345 - "Internal Server Error"
INFO [HTTP-120]: 2017-08-02T18:00:02,110 - transactionID=12345 - "Foo"
INFO [HTTP-120]: 2017-08-02T18:00:01,100 - transactionID=12345 - "Bar"
The query should not fail if there are no events. I used subquery to return transactionID for base query, but for 0 events it failed saying Comparator '=' has missing right side value.
Any help is much appreciated.
Try this...
index=baz [ index=baz "Internal Server Error" transactionID=* | stats by transactionID]
The stuff in braces, because of an implicit format
command, translates to...
( transactionID="Value1" OR transactionID="Value2" OR ...)
If nothing comes back from the braces, it comes out as...
NOT ()
...which is valid but will return no results.
Still doesn't work.
This query gives the stats "index=baz "Internal Server Error" transactionID=* | stats by transactionID".
But this whole query index=baz [search index=baz "Internal Server Error" transactionID=* | stats by transactionID] says 0 events found.
Since i am new please help if there are any silly mistakes.