i All
There are query splunk like this :
(index=Prod sourcetype=ProdApp (host=Prod01 OR Prod02) source="/prodlib/SPLID" "Response" ERR-12120)
| rex "^(?:[^\[\n]*\[){6}(?P<u>\w+)"
| rex field=_raw "(?<my_json>\{.*)"
| spath input=my_json output=customerName path=response.login.customerName
| spath input=my_json output=responseCode path=response.responseHeader.responseContext.responseCode
| dedup customerName
| table customerName,responseCode
| append [search index=Prod sourcetype=ProdApp (host=Prod01 OR Prod02) source="/prodlib/SPLID" "Request")
| rex "^(?:[^\[\n]*\[){6}(?P<u>\w+)"
| rex field=_raw "(?<my_json>\{.*)"
| spath input=my_json output=userId path=data.userId
| dedup userId
| table userId]
I will try to join both source from Request and Response, and result like below attachment :
My question is, how show for 5 user id's ? (in blue line)
Because i already try join both sources, the user id shown not related for the customer name (in black line)Picture
| table _time,customerName,responseCode,username
As @ITWhisperer asked, you should use </> "button/link" on reply editor to get code block window open. Then just copy paste the event or what ever is asked.
Why use code block (</>) instead of just copy/past to reply? The main reason for that is, when you are using code block, we will see exactly what you have, not what this system has formatted to show. Time by time there are some crucial differences between those two formats!
Not able to work
I already input like this from your script, but still error
(index=prd-splid sourcetype=prd-splid-app (host=Prod11 OR host=Prod12 OR host=Prod011 OR host=Prod012) source="/prodlib/SPLID/logs/spl-message-*.log" "Response" "-/spl-banking/services/id/security/v1/login" SPL-PRD-99999)
| rex "^(?:[^\[\n]*\[){6}(?P<u>\w+)"
| rex field=_raw "(?<my_json>\{.*)"
| spath input=my_json output=customerName path=response.login.customerName
| spath input=my_json output=responseCode path=response.responseHeader.responseContext.responseCode
| dedup customerName
| table customerName,responseCode
| streamstats count as row
| append [search index=prd-splid sourcetype=prd-splid-app (host=Prod11 OR host=Prod12 OR host=Prod011 OR host=Prod012) source="/prodlib/SPLID/logs/spl-message-*.log" ("Request" "-/spl-banking/services/id/security/v1/login")
| rex "^(?:[^\[\n]*\[){6}(?P<u>\w+)"
| rex field=_raw "(?<my_json>\{.*)"
| spath input=my_json output=userId path=data.userId
| dedup userId
| table userId
| streamstats count as row]
| stats values(*) as * by row
| fields - row
This is my script
(index=prd-splid sourcetype=prd-splid-app (host=LXSPLPIDV11 OR host=LXSPLPIDV12 OR host=LXSPLPIDV011 OR host=LXSPLPIDV012) source="/prodlib/SPLID/logs/spl-message-*.log" "Response" "-/spl-banking/services/id/security/v1/login" SPL-PRD-99999)
| rex "^(?:[^\[\n]*\[){6}(?P<u>\w+)"
| rex field=_raw "(?<my_json>\{.*)"
| spath input=my_json output=customerName path=response.login.customerName
| spath input=my_json output=responseCode path=response.responseHeader.responseContext.responseCode
| dedup customerName
| table customerName,responseCode
| append [search index=prd-splid sourcetype=prd-splid-app (host=Prod11 OR host=Prod12 OR host=Prod011 OR host=Prod012) source="/prodlib/SPLID/logs/spl-message-*.log" ("Request" "-/spl-banking/services/id/security/v1/login")
| rex "^.+(\[[^\]]+\].*){4}\[(?<userid>[^\]]+)\]"
| rex field=_raw "(?<my_json>\{.*)"
| spath input=my_json output=userId path=data.userId
| dedup userId
| table userId]