Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a query using values that come from the result of a different query

HomelessMonkey
Engager
‎08-25-2015 01:58 PM

Hello,

So I'm logging xml requests and responses as raw strings into splunk. To get the responses searching, among other things, the following string:

 >response</

This results of this will have a value that will help me link them to the request associated to that response. My question is, how can I search for the requests associated to those specific results.

So for example, my first query returns 100 responses with different unique "RequestID", how do i find the 100 requests that have that "RequestID".

Thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-25-2015 03:45 PM

Assuming you have the field RequestID extracted for both Request and Response XML data, try something like this

your base search to get request xml  [search your base search to get Response xml | table RequestID ] | rest of the search

THe subsearch will get list of RequestID and make a giant OR condition , which will filter the data from your base search which is for Requests.
Update
Try something like this

your base search to get Response XML | rex field=_raw "requestID\>(?<RequestId>[^\<])" |  eval search="requestID\>".RequestId | table search] | rest of the search

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-25-2015 03:45 PM

Assuming you have the field RequestID extracted for both Request and Response XML data, try something like this

your base search to get request xml  [search your base search to get Response xml | table RequestID ] | rest of the search

THe subsearch will get list of RequestID and make a giant OR condition , which will filter the data from your base search which is for Requests.
Update
Try something like this

your base search to get Response XML | rex field=_raw "requestID\>(?<RequestId>[^\<])" |  eval search="requestID\>".RequestId | table search] | rest of the search
Reply
Solved! Jump to solution

HomelessMonkey
Engager
‎08-25-2015 04:22 PM

Sadly the whole thing is just a raw string so it's more like:

[rest of the xml]<requestId>value</requestid>..[rest of the xml]
0 Karma
Reply
Solved! Jump to solution

HomelessMonkey
Engager
‎08-26-2015 12:45 PM

I just tried your Updated code as suggested and I'm getting parser errors. Trying to look up in the documentation, just to be sure my query is looking something like this

responseQuery | rex field=_raw "requestID\>(?<RequestId>[^\<])" |  eval search="requestID\>".RequestId | table search] | requestQuery

Getting a "mismatched ]" error (guessing it is the one after search. When removing it, it tries to parse the query as a command. Thanks so much for the help so far, I'm not used to performing this kind of queries.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-26-2015 12:56 PM

If you can post sample query using which you're getting response data and request data (two separate queries), I can help you translate this correctly.

0 Karma
Reply
Solved! Jump to solution

HomelessMonkey
Engager
‎08-26-2015 03:22 PM

Request: [environment name] ">request</" ProcessXmlStream
Response: ">response</" [Error code]

0 Karma
Reply
Get Updates on the Splunk Community!

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Top