Splunk Search

Match by rex field in subsearch


I have one log like:
log1 tid=,"tid":"abcd";

And another log like:
log2 userid=11 tid=abcd

I want to get the count of results where rexed tid in log1 matches tid in log2, deduped by userid.

I tried:
log2 [search log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | eval tid1=tid | dedup userid] | stats count

However it returned 0. though there should be more.

0 Karma

Esteemed Legend

Like this:

index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo" AND ("log1" OR "log2")
| rex "tid=,\"tid\":\"(?<tid>.*)\";"
| eval which=if(searchmatch("log1"), "log1", "log2")
| dedup userid which
| stats dc(which) AS which_count BY tid
| where which_count==2
0 Karma



| makeresults 
| eval _raw="userid=11 tid=abcd"
| appendpipe 
    [eval _raw="userid=12 tid=abce"]
| kv
| search
    [| makeresults 
    | eval _raw="tid=,\"tid\":\"abcd\";" 
    | rex field=_raw "\"tid\":\"(?<tid1>.*)\";" 
    | rename tid1 as query]


| kv
| search [ search log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | rename tid1 as query] 
| stats count by userid

Hi, @infcl
maybe, log1 does not have userid. so, dedup userid can't works and result is "0"
I don't know the fields extracted, I use kv
if log2 has the field userid , kv is not needed

0 Karma


Unfortunately it didn't work.

log2 always has userid.


   | search [ search log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | rename tid1 as query]

did not return any results.

When I search log2 and log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | fields tid1 individually, they return results, so those portions are correct.

0 Karma

log2 "tid1 value"

return results?

my search is same logic search.

I think you say
search log2⇨ returen results
search log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | fields tid1⇨ returen results

0 Karma


Yes that's what I mean, the individual searches are correct. But the matching is not.

0 Karma


If log2 tid field is extracted,

log2 [search log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | fields tid1 |rename tid1 as tid]

This query should return results.
if is returns "0" , there really is no result.

0 Karma


i don't know if this will make a difference, but your regex is missing escapes on your some of your characters. Try | rex "tid\"\:\"(?<tid1>[^\"]+)"

0 Karma


@jscraig2006 that shouldn't be a problem, because log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | fields tid1 does return results.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!