- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Match by rex field in subsearch
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Match by rex field in subsearch
I have one log like:
log1 tid=,"tid":"abcd";
And another log like:
log2 userid=11 tid=abcd
I want to get the count of results where rexed tid in log1 matches tid in log2, deduped by userid.
I tried:
log2 [search log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | eval tid1=tid | dedup userid] | stats count
However it returned 0. though there should be more.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo" AND ("log1" OR "log2")
| rex "tid=,\"tid\":\"(?<tid>.*)\";"
| eval which=if(searchmatch("log1"), "log1", "log2")
| dedup userid which
| stats dc(which) AS which_count BY tid
| where which_count==2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
e.g.
| makeresults
| eval _raw="userid=11 tid=abcd"
| appendpipe
[eval _raw="userid=12 tid=abce"]
| kv
| search
[| makeresults
| eval _raw="tid=,\"tid\":\"abcd\";"
| rex field=_raw "\"tid\":\"(?<tid1>.*)\";"
| rename tid1 as query]
Recommend:
log2
| kv
| search [ search log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | rename tid1 as query]
| stats count by userid
Hi, @infcl
maybe, log1 does not have userid. so, dedup userid can't works and result is "0"
I don't know the fields extracted, I use kv
if log2 has the field userid , kv is not needed
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately it didn't work.
log2 always has userid.
Even
log2
| search [ search log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | rename tid1 as query]
did not return any results.
When I search log2 and log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | fields tid1 individually, they return results, so those portions are correct.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
log2 "tid1 value"
return results?
my search is same logic search.
I think you say
search log2⇨ returen results
search log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | fields tid1⇨ returen results
OK?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes that's what I mean, the individual searches are correct. But the matching is not.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If log2 tid field is extracted,
log2 [search log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | fields tid1 |rename tid1 as tid]
This query should return results.
if is returns "0" , there really is no result.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i don't know if this will make a difference, but your regex is missing escapes on your some of your characters. Try | rex "tid\"\:\"(?<tid1>[^\"]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jscraig2006 that shouldn't be a problem, because log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | fields tid1 does return results.
What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience
Get Schooled with Splunk Education: Explore Our Latest Courses
Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL
