Splunk Search

How do I find common values in result of two queries on same source and field?

user9025
Path Finder

I have two queries: 

1. index=A sourcetype=B  "ERROR_A" | rex field=_raw "loginid (?<login_id>\d+) ::" | deduploginid | tableloginid

o/p eg::

123

456

789

 

2. index=A sourcetype=B  "ERROR_B" | rex field=_raw "loginid (?<login_id>\d+) ::" | dedup loginid | table loginid

o/p eg::

878

123

456

Query 1 finds all the login ID which failed because of ERROR_A and Query 2 finds all the login ID which failed because of ERROR_B. I want to find all the loginId which failed because of both ERROR_A and ERROR_B.SO expected result from above is

123

456

How can I combine both these queries given the the loginid is a extract field from raw logs.?

Labels (5)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
index=A sourcetype=B "ERROR_A" OR "ERROR_B" 
| rex "(?<errortype>ERROR_A|ERROR_B)"
| rex field=_raw "loginid (?<login_id>\d+) ::" 
| stats count by login_id errortype
| stats count by login_id
| where count = 2

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Give this a try

index=A sourcetype=B  "ERROR_A" OR "ERROR_B"
| rex field=_raw "loginid (?<login_id>\d+) ::" 
| eval Error=if(searchmatch("ERROR_A"), "ERROR_A" ,"ERROR_B" )
| stats dc(Error) as Errors by loginid | where Errors=2
| tableloginid
0 Karma

user9025
Path Finder

I will try and update. May I know that in the expression : 

| eval Error=if(searchmatch("ERROR_A"), "ERROR_A" ,"ERROR_B" )

 

Why have we put only ERROR_A in searchmatch clause ?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index=A sourcetype=B "ERROR_A" OR "ERROR_B" 
| rex "(?<errortype>ERROR_A|ERROR_B)"
| rex field=_raw "loginid (?<login_id>\d+) ::" 
| stats count by login_id errortype
| stats count by login_id
| where count = 2

user9025
Path Finder

Testing.Will update once i ran this.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...