Re: How to extract a string from a field to use in...

skiller1234 · ‎08-05-2016

So I am new to Splunk, but cannot seem to find the answer to this likely simple search question. So I need to search for a string, then use that value in a second search. Assuming this will just be a subsearch.

For Example:

I can use this search to pull the piece of information I need - but it labels it as a field called callID. We have not set up callID as a field yet it seems, and I don't want to rock the boat on that just yet, so I think I just need it as a string to use in the next search. Would I look for that "callID" part using regex?

index=sip-ra ani 18005551111 17775559999 ConfJoinNote | rex field=_raw "\(?<callID>.*)\<\/callLegSessionID\>"

that would return this as callID:

204.466.sip_reservationless_conference.102@64.214.111.111

Then my next search would have the above as a subsearch like so:

index=sip-ra [subsearch to get the callID string] "audio" "digits"

I just can't figure out how to get it to use that 204.466*** as part of that next search?

thank you!

skiller

sundareshr · ‎08-05-2016

Try this

index=sip-ra [ search index=sip-ra ani 18005551111 17775559999 ConfJoinNotify | rex field=_raw "(?<callID>.*)\<\/callLegSessionID\>"  | table callID | rename callID as search] "audio" digits"

skiller1234 · ‎08-05-2016

Apologies - the first search is incomplete:

index=sip-ra ani 18005551111 17775559999 ConfJoinNotify | rex field=_raw "(?.*)<\/callLegSessionID>"

How to extract a string from a field to use in another search?

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

How to extract a string from a field to use in another search?

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine