Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to edit my subsearch to find a particular SessionID and phrase?

DanielWick
New Member
‎01-05-2017 09:27 AM

I have multiple events that are related by a similar sessionID. One event contains an employerCode, which is what I would want the input on the dashboard to be. I have hardcoded that to 00000 for now. I am looking to have by subsearch look for all logs associated with that employerCode, and pull out all SessionID's. When I run this subsearch by itself, it works fine.

sourcetype="ta" index="p_r" "employer code [00000]" | rex field=_raw "SessionID:\[(?.*)\];" | dedup sid | table sid

Results:
sid
S1
S2
S3
etc.

However, I am now wanting to find all logs that contain those SessionID's and the phrase "ReasonCode". I have attempted to use the following query, but am not getting any results:

sourcetype="ta" index="p_r" "ReasonCode" [search sourcetype="ta" index="p_r" "employer code [00000]" | rex field=_raw "SessionID:\[(?.*)\];" | dedup sid | table sid]

However, if I were to try the following query by hardcoding the sessionID, I get what I am looking for:

sourcetype="ta" index="p_r" "ReasonCode" "S1"

It would be very appreciated if somebody could help me resolve my issue and point out my mistake.

0 Karma
Reply

hunters_splunk
Splunk Employee
Splunk Employee
‎01-05-2017 11:39 AM

Hi DanielWick,

I think the rex syntax in your search is incorrect.

rex field=_raw "SessionID:[(?.*)];"

If you want to extract session id from your raw events and assign the values to a field you should supply in the regex capture group. For example, if your new field is sid, use the following search: 

sourcetype="ta" index="p_r" "employer code [00000]" | rex field=_raw "SessionID:\[(?<sid>.*)\];" | dedup sid | table sid

For details about the rex command, please refer to:
http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Rex

In your search below, you simply retrieved all the events with "S1" in the raw data, not with field sid="S1".

sourcetype="ta" index="p_r" "ReasonCode" "S1"

Also, please note that subsearch is not without its limitations. Subsearches are limited by both time and event count:
• Default time limit = 60 seconds
– If the subsearch continues to run after this time, it is finalized
–Only the events found during that time are returned to the outer
search
• Default results limit = 10,000
– After 10,499 entries, the results are truncated (partial result set)

Hope this helps.Thanks!
Hunter

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...