Splunk Search

How to extract tracktrace field from one search to use in another search?

kenth213
Path Finder

I have a dashboard/form which takes two field inputs to perform a search and find an appropriate tracktrace.
index=myindex sourcetype="mysource" ""$token$"" ""$token2$"" |rex "(?i)(?P[^<]+)" | table tracktrace

I need to be able to use the tracktrace value from the above search and perform a new search to return a different field which isn't part of the same events returned above e.g.
index=myindex sourcetype="mysource" $tracktrace$ | rex "(?i)(?P[^<]+)" | table myvalue

How would I go about this?

0 Karma
1 Solution

wpreston
Motivator

If I'm understanding what you want to do, it sounds like a subearch might be the way to go. Something like this?

index=myindex sourcetype="mysource" [index=myindex sourcetype="mysource" ""$token$"" ""$token2$"" |rex "(?i)(?P[^<]+)" | fields tracktrace | dedup tracktrace] | rex "(?i)(?P[^<]+)" | table myvalue

This approach should work great for retrieving a set of events based on values received from another search, as long as the subsearch returns less than 10,500 results. If you're going to have more than 10,500 unique tracktraces, we will need to restructure this search.

View solution in original post

wpreston
Motivator

If I'm understanding what you want to do, it sounds like a subearch might be the way to go. Something like this?

index=myindex sourcetype="mysource" [index=myindex sourcetype="mysource" ""$token$"" ""$token2$"" |rex "(?i)(?P[^<]+)" | fields tracktrace | dedup tracktrace] | rex "(?i)(?P[^<]+)" | table myvalue

This approach should work great for retrieving a set of events based on values received from another search, as long as the subsearch returns less than 10,500 results. If you're going to have more than 10,500 unique tracktraces, we will need to restructure this search.

kenth213
Path Finder

This is getting closer thanks! Though I have a couple of bumps that need ironing out.

Checking the search job inspector, I can see that it has evaluated the subsearch expression and has found the correct value, and incorporated into my main search - perfect. Though I'm returning no results...doh. I think it might be because the field name I am using.

When I find the track trace initially, it comes from an xml field named , which I was calling tracktrace in my rex. However when I am using that value to find the appropriate logs in my main search the xml field name is .

The subsearch then goes looking for tracktrace="M40GW2014092911354947166" which can't be found.
Can I somehow still use the value/result (M40GW2014092911354947166) from the subsearch and populate that into the main search in a way that it can find the event
i.e. If I just type into search "M40GW2014092911354947166" it would return the correct event.

Or am I naming the field incorrectly that I could do another way? Currently:

rex "(?i)'<'ns2:MessageTrackTrace'>'(?P'<'tracktrace'>'[^<]+)"

without internal ' ' on arrows.

0 Karma

kenth213
Path Finder

Revisted this after Xmas and managed to get this working correctly with sub search. There was an issue with my main search string throwing off my results. Thanks for the help

0 Karma

sk314
Builder

Have you tried piping it to a search command like so:

index=myindex sourcetype="mysource" ""$token$"" ""$token2$"" | rex "(?i)(?P[^<]+)" | search tracktrace | rex "(?i)(?P[^<]+)" | table myvalue
0 Karma

sk314
Builder

Try this instead:

index=myindex sourcetype="mysource" ""$token$"" ""$token2$"" | rex "(?i)(?P[^<]+)" | search tracktrace ="*" | rex "(?i)(?P[^<]+)" | table myvalue

I am assuming token and token2 are populated properly and the rex extraction is named tracktrace. I forgot to add tracktrace="*" in the previous comment.

0 Karma

kenth213
Path Finder

Yes and it wasn't successful. The information I want to ultimately find/display is in a separate event to where I initially pick up the tracktrace value.

As the user wouldn't have the tracktrace to return the required results, the purpose of the form is to find the tracktrace for them from information they do have. Then perform a search based off that tracktrace to return the desired information. Some code was trimmed out of my initial post, but basically:

Search 1 takes two token inputs from text fields and completes the appropriate search to return event that contains the track trace.
The track trace value is then extracted.
I then need to perform another search with this value to find the event with results they are looking for, and extract/display the field.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...