Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to search by variable created within a join qu...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to search by variable created within a join query?
akonduru
New Member
03-11-2016
05:53 AM
I want join/combine two searches by their common value to compare transaction success/failure rate at both places. i tried something below, but unable to search by evaluated result
Step1: Extract substring from second log as this value exactly doesn't match within first log.
index=indexoffirstlog sourcetype="secondlog" eval length=len(fieldinterestedin) | eval transaction_id=substr(fieldinterestedin, 6, length)
Step2: Search results within first log where result contain transaction_id (Not Joined yet, just checking first log query alone)
index=indexoffsfirstlog sourcetype="firstlog" matchstringoffirstlog
Step3: Now join both searches and search by transaction_id
index=indexoffirstlog AND index=indexofsecondlog sourcetype="secondlog" matchstringoffirstlog | eval length=len(fieldinterestedin) | eval result=substr(fieldinterestedin, 6, length) | search result
But i am not getting any results. appreciate any advice.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-11-2016
04:02 PM
Change your AND to OR!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
03-11-2016
09:41 AM
Is the length of fieldinterestedin constant?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
akonduru
New Member
03-11-2016
12:29 PM
No, It is not same. length varies. But fieldinterestedin always start wit constant like "ABCD23423fsdfsd" where ABCD is constant.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
03-11-2016
12:37 PM
Final doubt, if you remove the constant part in the fieldinterestedin field from search 2, would it match exactly with fieldinterestedin in search 1?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
akonduru
New Member
03-11-2016
03:39 PM
yes, it match except the constant part which is why i am doing substring to take off Constant part.
Get Updates on the Splunk Community!
Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!
What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
A Prelude to .conf25: Your Guide to Splunk University
Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...
