Splunk Search

How to get a variable from first search and pass to subsearch?


There are 2 kinds of log:
one is error log
the other is access log.

In error log, there is a field requestUrl. value format is https://google.com/home.html.
In access log, there is field requestPath, value format is /home.html.

I want to combine them with requestUrl and requestPath, and then count the error rate.

The query I used likes:

index=app..eventName=xxx| rex field=requestUrl "https://google.com(?<**path**>.*)" | stats count as failureCount | appendcols [search index=app .. requestPath=$**path**$| stats count as total]

The variable **path** cannot be passed to requestPath in subsearch. I can only get total=0.

Anyone know how to get the path from the first search passed to subsearch?

Tags (2)
0 Karma

Esteemed Legend

Also, you cannot use asterisks ( * ) in a field name. Maybe that is the only problem that you are having?

0 Karma


I use following query. It works if base search result is not null. But get error if base search result is null - Error in 'map': Did not find value for required attribute 'commonPath'.
What can I do to skip the subsearch and set successRate to 100 when no numError?

index=app .. eventName=xxx| rex field=requestUrl "([^/]+://)?[^/]+(?/.*)" |stats count as numError by commonPath| map search="search index=app .. requestPath=$commonPath$| stats count as total by requestPath | eval successRate=(numTotal - $numError$)/numTotal*100 "
0 Karma


Thanks jplumsdaine22 & woodcock.
I cannot use requestUrl/eventName to count numErrors directly. I need to filter errors with other fields, like level=error. And this field exists only in event log not in access log.

So I decide to use map command even it is inefficient. Thanks for your help. 🙂

0 Karma

Esteemed Legend

Generally, this is done with the map command but that would be way too inefficient for this use-case.

Try this (put your special stuff instead of ...😞

index=app ... | rex field=requestUrl "([^/]+://)?[^/]+(?<commonPath>/.*)"
| eval commonPath=coalesce(commonPath, requestPath)
| stats count(eval(isnotnull(requestUrl))) AS numErrors count(eval(isnotnull(requestPathl))) AS numHits by commonPath
| where numErrors>0

This shows you only those path values that have errors and shows both a hit-count and error-count.

0 Karma


You may be better off doing this backwards.

index=app [index=app..eventName=xxx| rex field=requestUrl "https://google.com(?.*)" |fields requestPath]
|stats count as Total count(eval(eventName="xxx")) as Failures by requestPath

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...