Splunk Search

Linked searches

Bulluk
Path Finder

I index 2 log files which have a common ID field in them. I'd like to search against log file 1, get a series of IDs which match my search term and then use those IDs to find info from log file 2, eg

source=Log1 error="some error message" | source=Log2 ID

In the above, the search to the left of the pip finds 1 or more results. On the right of the pipe we search for all events which have the ID from the first part of the search.

Seems like it should be easy but I'm having a "can't see the wood for the trees" moment and can't work it out.

thanks in advance!

Tags (2)
0 Karma
1 Solution

Ayn
Legend

As I understand your requirement I think your best option might be to use a regular subsearch (http://docs.splunk.com/Documentation/Splunk/latest/User/HowSubsearchesWork ).

Step-by-step: " I'd like to search against log file 1, get a series of IDs which match my search term"

source=Log1 error="some error message"

"and then use those IDs to find info from log file 2"

source=Log2 [search source=Log1 error="some error message" | fields ID]

EDIT: If you want the actual events from both sources, you could either use join as has been suggested, or transaction that will create a new event (a transaction) that combines all events having the same ID.

(source=Log1 error="some error message") OR (source=Log2) | transaction ID

View solution in original post

0 Karma

Ayn
Legend

As I understand your requirement I think your best option might be to use a regular subsearch (http://docs.splunk.com/Documentation/Splunk/latest/User/HowSubsearchesWork ).

Step-by-step: " I'd like to search against log file 1, get a series of IDs which match my search term"

source=Log1 error="some error message"

"and then use those IDs to find info from log file 2"

source=Log2 [search source=Log1 error="some error message" | fields ID]

EDIT: If you want the actual events from both sources, you could either use join as has been suggested, or transaction that will create a new event (a transaction) that combines all events having the same ID.

(source=Log1 error="some error message") OR (source=Log2) | transaction ID
0 Karma

Bulluk
Path Finder

source=Log2 [search source=Log1 error="some error message" | fields ID]

This is the one that nailed it for me. Thanks for your help 🙂

0 Karma

Ayn
Legend

You could also use transaction. See my updated answer.

0 Karma

Ayn
Legend

OK, so you want not just the ID from log1, but also the actual event? In that case the requirement will indeed be a bit different, as the subsearch would essentially return something like ((id="id1") OR (id="id2") OR ... ) to the outer search.

0 Karma

Bulluk
Path Finder

Log1 contains the error message and the ID.
Log2 contains the ID and some other info I'm interested in. In a scripting language I'd pass the result of the first query into an array then iterate around it to find the info I want in Log2 ie

$IDs = 1,2,3,4

foreach ($ID in $IDs)
{
select $info1, $info2
where $IDfield = $ID
}

0 Karma

johandk
Path Finder
source=log1 error="ERROR" | join ID [search source=Log2]

This will do a SQL like join on the ID field.

Bulluk
Path Finder

I ended up using Ayn's solution below but I think the join approach would have worked if I'd spent time with it. Thanks for your help

0 Karma

Bulluk
Path Finder

This looks close but I'm getting odd results

source=log1 error="ERROR" returns over 100 results

source=log1 error="ERROR" | join ID [search source=Log2] only returns 1 result despite there being a 1 to 1 relationship with the ID.

I shall play a bit more to see if I can work out what I'm doing wrong

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...