Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a query using values that come from ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
So I'm logging xml requests and responses as raw strings into splunk. To get the responses searching, among other things, the following string:
>response</
This results of this will have a value that will help me link them to the request associated to that response. My question is, how can I search for the requests associated to those specific results.
So for example, my first query returns 100 responses with different unique "RequestID", how do i find the 100 requests that have that "RequestID".
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming you have the field RequestID extracted for both Request and Response XML data, try something like this
your base search to get request xml [search your base search to get Response xml | table RequestID ] | rest of the search
THe subsearch will get list of RequestID and make a giant OR condition , which will filter the data from your base search which is for Requests.
Update
Try something like this
your base search to get Response XML | rex field=_raw "requestID\>(?<RequestId>[^\<])" | eval search="requestID\>".RequestId | table search] | rest of the search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming you have the field RequestID extracted for both Request and Response XML data, try something like this
your base search to get request xml [search your base search to get Response xml | table RequestID ] | rest of the search
THe subsearch will get list of RequestID and make a giant OR condition , which will filter the data from your base search which is for Requests.
Update
Try something like this
your base search to get Response XML | rex field=_raw "requestID\>(?<RequestId>[^\<])" | eval search="requestID\>".RequestId | table search] | rest of the search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sadly the whole thing is just a raw string so it's more like:
[rest of the xml]<requestId>value</requestid>..[rest of the xml]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just tried your Updated code as suggested and I'm getting parser errors. Trying to look up in the documentation, just to be sure my query is looking something like this
responseQuery | rex field=_raw "requestID\>(?<RequestId>[^\<])" | eval search="requestID\>".RequestId | table search] | requestQuery
Getting a "mismatched ]" error (guessing it is the one after search. When removing it, it tries to parse the query as a command. Thanks so much for the help so far, I'm not used to performing this kind of queries.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you can post sample query using which you're getting response data and request data (two separate queries), I can help you translate this correctly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Request: [environment name] ">request</" ProcessXmlStream
Response: ">response</" [Error code]
Index This | What is broken 80% of the time by February?
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
Splunk MCP & Agentic AI: Machine Data Without Limits
