How to Use Field Values in Endswith Parameter of T...

Traer001 · ‎04-23-2021

Hello!

I am trying to group my log entries based on very specific criteria but can't seem to figure out how to do so.

I have logs like this:

2021-04-23 16:47:26 User Id: 6211 Error Resolved

2021-04-23 16:47:25 Error[0] type 800

2021-04-23 16:47:25 User Id: 2345 Error Resolved

2021-04-23 16:47:23 Error[0] Error Response {"user_id":2345, "error_id":9101, ..............etc}

2021-04-23 16:47:23 Error[0] type 800

2021-04-23 16:47:22 Error[0] Error Response {"user_id":6211, "error_id":9100, ..............etc}

2021-04-23 16:47:22 Error[0] type 800

I am trying to get three events in my transactions: (1) the initial error type message, (2) the error response details, and (3) the error resolved message. However, I need the error response details and the error resolved message to contain the same user id. I currently have my query set up like this:

index=INDEX host=HOSTNAME sourcetype=SOURCETYPE
| rex field=_raw "Error\[0\]\stype\s(?<error_code>\d+)"
| rex field=_raw "User\sId:(?<user_id>\d+)\sError\sResolved"
| rex field=_raw "Error\[0\]\sError\sResponse\s{\"user_id\":(?<user_id>\d+)"
| where user_id<20000 or error_code=800
| transaction startswith="Error[0] type 800" endswith="User Id:"

I'm lost on how to make sure that the transaction retrieves only the events where the user id of the error response details matches the error resolved message. Any ideas?

How to Use Field Values in Endswith Parameter of Transactions

fields

transaction

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?