Splunk Search

How to extract session ID list and perform another search over it?

vitorvmiguel
Explorer

Hi folks,

I need a solution for counting one thing by extracting a list of ID's from the same index. My log archive has the fields tipo (type) equals to I=success, E=error, W=warning; programa (transaction); idlogon (session ID) and info10 (user agent).

What i intend to do is extract a list of session ID's of clients with error, search below:

index="raw_internet_cartonista" programa="WNHC" tipo="E" | eval Clientes=idlogon | 

Then, with this list of ID's, i want to perform a search of user agents in another transaction, search below:

index="raw_internet_cartonista" programa="ILCL" tipo="I" | stats count info10 by Clientes |

I need to append this searches, but i'm not getting it.

Can anyone help?

Tks

0 Karma
1 Solution

woodcock
Esteemed Legend

Try this:

 index="raw_internet_cartonista" programa="WNHC" tipo="E" | map search="search index=\"raw_internet_cartonista\" programa=\"ILCL\" tipo=\"I\" | stats count info10 by $idlogon$"

View solution in original post

woodcock
Esteemed Legend

Try this:

 index="raw_internet_cartonista" programa="WNHC" tipo="E" | map search="search index=\"raw_internet_cartonista\" programa=\"ILCL\" tipo=\"I\" | stats count info10 by $idlogon$"

bmacias84
Champion

If you have more more than 10 results you will have to use the maxsearches argument. The map command is essentially a loop command. If you have a dynamic range of results 10 sometimes 100 and set maxsearches to 100 it may miss results if you get 110 result occasionally.

0 Karma

vitorvmiguel
Explorer

woodcock, can you explain the query you sent? I don't know the map command and what you did, simply copying the search didn't work. what this syntax means? And what the \" that you used do?

0 Karma

woodcock
Esteemed Legend

I actually did it wrong; try this:

index="raw_internet_cartonista" programa="WNHC" tipo="E" | eval Clientes=idlogon | dedup Clientes | table Clientes | map search="search index=\"raw_internet_cartonista\" programa=\"ILCL\" tipo=\"I\" idlogon=$Clientes$| stats count as UserAgent by info10 idlogon"
0 Karma

bmacias84
Champion

I have jenky way of doing this with sub searches and using the return command.

This first search is used to get the number of return values needed, since return require you to enter a number value else it will return only one value.

index="raw_internet_cartonista" programa="WNHC" tipo="E" | stats dc(idlogon) as c | return $c

Next you use this as a sub search with an identical search. The result is idlogon=<value1> OR idlogon=<value2> OR idlogon=<value3> OR idlogon=<value4> and so on.

index="raw_internet_cartonista" programa="WNHC" tipo="E" 
  | return [search index="raw_internet_cartonista" programa="WNHC" tipo="E"
            | stats dc(idlogon) as c 
            | return $c] idlogon

Finally you use the resulting in your main search.

index="raw_internet_cartonista" programa="ILCL" tipo="I" 
  [ search index="raw_internet_cartonista" programa="WNHC" tipo="E" 
    | return [search index="raw_internet_cartonista" programa="WNHC" tipo="E"
                | stats dc(idlogon) as c 
                | return $c] idlogon]
  | stats count(info10) by idlogon

Option two you can use mvcombine and return.

index="raw_internet_cartonista" programa="WNHC" tipo="E" 
    | table idlogon 
    | eval idlogon="idlogon="+idlogon 
    | mvcombine delim=" OR " idlogon 
    | return idlogon

Finally, but this method does max char/lines per field limits which i cant remember.

index="raw_internet_cartonista" programa="ILCL" tipo="I" 
  [ search index="raw_internet_cartonista" programa="WNHC" tipo="E" 
    | table idlogon 
    | eval idlogon="idlogon="+idlogon 
    | mvcombine delim=" OR " idlogon 
    | return idlogon ]
  | stats count(info10) by idlogon

I've used this to find GUIDs that have generated errors and then using the found GUIDs find all matching events/transactions that took place.

Hope this helps. Don't forget to vote and accept answers.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...