Splunk Search

How to get a variable from first search and pass to subsearch?


There are 2 kinds of log:
one is error log
the other is access log.

In error log, there is a field requestUrl. value format is https://google.com/home.html.
In access log, there is field requestPath, value format is /home.html.

I want to combine them with requestUrl and requestPath, and then count the error rate.

The query I used likes:

index=app..eventName=xxx| rex field=requestUrl "https://google.com(?<**path**>.*)" | stats count as failureCount | appendcols [search index=app .. requestPath=$**path**$| stats count as total]

The variable **path** cannot be passed to requestPath in subsearch. I can only get total=0.

Anyone know how to get the path from the first search passed to subsearch?

Tags (2)
0 Karma

Esteemed Legend

Also, you cannot use asterisks ( * ) in a field name. Maybe that is the only problem that you are having?

0 Karma


I use following query. It works if base search result is not null. But get error if base search result is null - Error in 'map': Did not find value for required attribute 'commonPath'.
What can I do to skip the subsearch and set successRate to 100 when no numError?

index=app .. eventName=xxx| rex field=requestUrl "([^/]+://)?[^/]+(?/.*)" |stats count as numError by commonPath| map search="search index=app .. requestPath=$commonPath$| stats count as total by requestPath | eval successRate=(numTotal - $numError$)/numTotal*100 "
0 Karma


Thanks jplumsdaine22 & woodcock.
I cannot use requestUrl/eventName to count numErrors directly. I need to filter errors with other fields, like level=error. And this field exists only in event log not in access log.

So I decide to use map command even it is inefficient. Thanks for your help. 🙂

0 Karma

Esteemed Legend

Generally, this is done with the map command but that would be way too inefficient for this use-case.

Try this (put your special stuff instead of ...😞

index=app ... | rex field=requestUrl "([^/]+://)?[^/]+(?<commonPath>/.*)"
| eval commonPath=coalesce(commonPath, requestPath)
| stats count(eval(isnotnull(requestUrl))) AS numErrors count(eval(isnotnull(requestPathl))) AS numHits by commonPath
| where numErrors>0

This shows you only those path values that have errors and shows both a hit-count and error-count.

0 Karma


You may be better off doing this backwards.

index=app [index=app..eventName=xxx| rex field=requestUrl "https://google.com(?.*)" |fields requestPath]
|stats count as Total count(eval(eventName="xxx")) as Failures by requestPath

0 Karma
Get Updates on the Splunk Community!

The Great Resilience Quest: 5th Leaderboard Update

The fifth leaderboard update for The Great Resilience Quest is out &gt;&gt; &#x1f3c6; Check out the ...

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...