Splunk Search

How do I feed an array of strings from the results of a search to another search

Explorer

I have setup a field extraction that parses OC4J Apache logs of the following format and extracts the ecid:

index="app" host="somehost*" sourcetype="access_log-too_small" AND req_status=500 AND req_srvc_time>1

which returns:

10.1.2.3 - - [24/Jul/2013:09:36:44 -0700] [ecid: 1374676196:192.168.1.2:3229:0:12737,0] "GET /app-context/some.action HTTP/1.1" 500 659 [7201 (secs)]

The extracted ecid's would then be:
1374676196:192.168.1.2:3229:0:12737

I want to pass the ecids (there would be more than one) to another search that looks across all logs (application logs, frontend host logs, etc) and returns all entries it finds. I do this manually by performing the following search:

index="app" "1374676196:192.168.1.2:3229:0:12737*"

to get:

2013-07-24 07:29:58,584 INFO UserTimingInterceptor.logBeforeMessage - Start action [//some!doSomething()?id=XyZ1312&sn=123456] by [user1] ECID [1374676196:192.168.1.2:3229:0:12737,2]
2013-07-24 07:29:58,584 INFO UserTimingInterceptor.logBeforeMessage - Start action [//some!doSomething()?id=XbZ1312&sn=123456] by [user1] ECID [1374676196:192.168.1.2:3229:0:12737,2]
[Wed Jul 24 09:29:58 2013] [error] [client 10.1.2.3] [ecid: 1374676196:192.168.1.2:3229:0:12737,0] mod_oc4j: request to OC4J locosprod0005:12501 failed: recv failed (errno=4)
10.1.2.3 - - [24/Jul/2013:09:29:58 -0700] [ecid: 1374676196:192.168.1.2:3229:0:12737,0] "GET /app-context/some.action?id=PTHG141277&sn=655164 HTTP/1.1" 500 659 [7202 (secs)]

The example I gave above uses one (1) ECID. The query would ideally be to lookup all ECIDs returned by the first query and return corresponding entries from other logs.Is there a way to combine these two queries? Thanks in advance!

0 Karma
1 Solution

Explorer

lguinn's answer took me to the right query! Here it is:

index="app" [ search index="app"
host="somehost*" sourcetype="access_log-too_small" AND req_status=500
AND req_srvc_time>1 | rename ecid as query | fields query]

View solution in original post

0 Karma

Explorer

lguinn's answer took me to the right query! Here it is:

index="app" [ search index="app"
host="somehost*" sourcetype="access_log-too_small" AND req_status=500
AND req_srvc_time>1 | rename ecid as query | fields query]

View solution in original post

0 Karma

Legend
index="app" [ search index="app" host="somehost*" sourcetype="access_log-too_small" AND req_status=500 AND req_srvc_time>1 | table ecid ]

will work if you have less than 100 ecids.

0 Karma

Legend

index="app" [ search index="app" host="somehost*" req_status=500 sourcetype="access_log-too_small" AND AND req_srvc_time>1 | rename ecid as search ]

may be closer to what you need; it will return results from other logs. Still only works with less that 100 ecids.

0 Karma

Explorer

Thanks, but that only returns results from accesslog-toosmall sourcetype. This may be due to the fact that I have defined ecid in the field extractions of that source type and not others. The other source types (log4j, access_combined, etc) don't have a field named ecid defined.

I was trying to avoid that and do a free form search on _raw as each application (sourcetype is log4j) append ecid in a different location. I am working with the developers to come up with a unified format that I can then create a field extraction for.

0 Karma