Splunk Search

How to get a variable from first search and pass to subsearch?


There are 2 kinds of log:
one is error log
the other is access log.

In error log, there is a field requestUrl. value format is https://google.com/home.html.
In access log, there is field requestPath, value format is /home.html.

I want to combine them with requestUrl and requestPath, and then count the error rate.

The query I used likes:

index=app..eventName=xxx| rex field=requestUrl "https://google.com(?<**path**>.*)" | stats count as failureCount | appendcols [search index=app .. requestPath=$**path**$| stats count as total]

The variable **path** cannot be passed to requestPath in subsearch. I can only get total=0.

Anyone know how to get the path from the first search passed to subsearch?

Tags (2)
0 Karma

Esteemed Legend

Also, you cannot use asterisks ( * ) in a field name. Maybe that is the only problem that you are having?

0 Karma


I use following query. It works if base search result is not null. But get error if base search result is null - Error in 'map': Did not find value for required attribute 'commonPath'.
What can I do to skip the subsearch and set successRate to 100 when no numError?

index=app .. eventName=xxx| rex field=requestUrl "([^/]+://)?[^/]+(?/.*)" |stats count as numError by commonPath| map search="search index=app .. requestPath=$commonPath$| stats count as total by requestPath | eval successRate=(numTotal - $numError$)/numTotal*100 "
0 Karma


Thanks jplumsdaine22 & woodcock.
I cannot use requestUrl/eventName to count numErrors directly. I need to filter errors with other fields, like level=error. And this field exists only in event log not in access log.

So I decide to use map command even it is inefficient. Thanks for your help. 🙂

0 Karma

Esteemed Legend

Generally, this is done with the map command but that would be way too inefficient for this use-case.

Try this (put your special stuff instead of ...😞

index=app ... | rex field=requestUrl "([^/]+://)?[^/]+(?<commonPath>/.*)"
| eval commonPath=coalesce(commonPath, requestPath)
| stats count(eval(isnotnull(requestUrl))) AS numErrors count(eval(isnotnull(requestPathl))) AS numHits by commonPath
| where numErrors>0

This shows you only those path values that have errors and shows both a hit-count and error-count.

0 Karma


You may be better off doing this backwards.

index=app [index=app..eventName=xxx| rex field=requestUrl "https://google.com(?.*)" |fields requestPath]
|stats count as Total count(eval(eventName="xxx")) as Failures by requestPath

0 Karma
Get Updates on the Splunk Community!

Observability Unveiled: Navigating OpenTelemetry's Framework and Deployment Options

Observability Unveiled: Navigating OpenTelemetry's Framework and Deployment Options A recent Tech Talk, ...

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...