How to search for a field using value of other fie...

deepakmr8 · ‎09-12-2024

Hi,

I have two fields, both these fields will be in two different events, now i want to search for events, where aggr_id=*session_ID*, basically i'm looking to search for field1=*field2*

field1: session_ID= 1234567890

field2: aggr_id= ldt:1234567890:09821

ITWhisperer · ‎09-12-2024

It is not usually good to start a search with a wildcard, so assuming aggr_id always starts with Idt:, you could do something like this

| makeresults
| eval aggr_id="ldt:1234567890:09821"
| search 
    [| makeresults
    | eval session_ID= 1234567890
    | eval aggr_id="ldt:".session_ID."*"
    | table aggr_id
    | dedup aggr_id]

The makeresults just set up dummy data and should be replaced by your index search

<index search> [search index
    | eval aggr_id="ldt:".session_ID."*"
    | table aggr_id
    | dedup aggr_id]

gcusello · ‎09-12-2024

Hi @deepakmr8 ,

if the rule in the second field is fixed, you could use a regex to extract the relevant part fo the match:

<your_search>
| rex field=aggr_id "^\w+:(?<extract>[^:]+)"
| search session_ID=extract

Ciao.

Giuseppe

How to search for a field using value of other field

field extraction

subsearch

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard

Are you a member of the Splunk Community?