Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract a string from a field to use in another search?

skiller1234
Explorer
‎08-05-2016 10:05 AM

So I am new to Splunk, but cannot seem to find the answer to this likely simple search question. So I need to search for a string, then use that value in a second search. Assuming this will just be a subsearch.

For Example:

I can use this search to pull the piece of information I need - but it labels it as a field called callID. We have not set up callID as a field yet it seems, and I don't want to rock the boat on that just yet, so I think I just need it as a string to use in the next search. Would I look for that "callID" part using regex?

index=sip-ra ani 18005551111 17775559999 ConfJoinNote | rex field=_raw "\(?<callID>.*)\<\/callLegSessionID\>"

that would return this as callID:

204.466.sip_reservationless_conference.102@64.214.111.111

Then my next search would have the above as a subsearch like so:

index=sip-ra [subsearch to get the callID string] "audio" "digits"

I just can't figure out how to get it to use that 204.466*** as part of that next search?

thank you!

skiller

Reply

sundareshr
Legend
‎08-05-2016 10:15 AM

Try this

index=sip-ra [ search index=sip-ra ani 18005551111 17775559999 ConfJoinNotify | rex field=_raw "(?<callID>.*)\<\/callLegSessionID\>"  | table callID | rename callID as search] "audio" digits"
Reply

skiller1234
Explorer
‎08-05-2016 10:08 AM

Apologies - the first search is incomplete:

index=sip-ra ani 18005551111 17775559999 ConfJoinNotify | rex field=_raw "(?.*)<\/callLegSessionID>"

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 3)

Welcome back to Splunk Classroom Chronicles, our ongoing blog series that pulls back the curtain on Splunk ...

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...