Splunk Search

How to get a variable from first search and pass to subsearch?

amylala
Explorer

There are 2 kinds of log:
one is error log
the other is access log.

In error log, there is a field requestUrl. value format is https://google.com/home.html.
In access log, there is field requestPath, value format is /home.html.

I want to combine them with requestUrl and requestPath, and then count the error rate.

The query I used likes:

index=app..eventName=xxx| rex field=requestUrl "https://google.com(?<**path**>.*)" | stats count as failureCount | appendcols [search index=app .. requestPath=$**path**$| stats count as total]

The variable **path** cannot be passed to requestPath in subsearch. I can only get total=0.

Anyone know how to get the path from the first search passed to subsearch?

Tags (2)
0 Karma

woodcock
Esteemed Legend

Also, you cannot use asterisks ( * ) in a field name. Maybe that is the only problem that you are having?

0 Karma

amylala
Explorer

I use following query. It works if base search result is not null. But get error if base search result is null - Error in 'map': Did not find value for required attribute 'commonPath'.
What can I do to skip the subsearch and set successRate to 100 when no numError?

index=app .. eventName=xxx| rex field=requestUrl "([^/]+://)?[^/]+(?/.*)" |stats count as numError by commonPath| map search="search index=app .. requestPath=$commonPath$| stats count as total by requestPath | eval successRate=(numTotal - $numError$)/numTotal*100 "
0 Karma

amylala
Explorer

Thanks jplumsdaine22 & woodcock.
I cannot use requestUrl/eventName to count numErrors directly. I need to filter errors with other fields, like level=error. And this field exists only in event log not in access log.

So I decide to use map command even it is inefficient. Thanks for your help. 🙂

0 Karma

woodcock
Esteemed Legend

Generally, this is done with the map command but that would be way too inefficient for this use-case.

Try this (put your special stuff instead of ...😞

index=app ... | rex field=requestUrl "([^/]+://)?[^/]+(?<commonPath>/.*)"
| eval commonPath=coalesce(commonPath, requestPath)
| stats count(eval(isnotnull(requestUrl))) AS numErrors count(eval(isnotnull(requestPathl))) AS numHits by commonPath
| where numErrors>0

This shows you only those path values that have errors and shows both a hit-count and error-count.

0 Karma

jplumsdaine22
Influencer

You may be better off doing this backwards.

index=app [index=app..eventName=xxx| rex field=requestUrl "https://google.com(?.*)" |fields requestPath]
|stats count as Total count(eval(eventName="xxx")) as Failures by requestPath

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...