Splunk Search

Pass parameters from one search to another

simonattardGO
Path Finder

Hi all,

We have a system which always logs two lines, Eg:

1) Operation | Status | Time
2) Operation | Type

I want a search which would return all the second lines, where the first line Status is Failed.
Eg. If I have these four logs, I want a search which returns only the 4th line (because the status of the operation is fail)

GET | SUCCESS | 100ms
GET | type1

GET | FAIL | 1000ms
GET | type1

Any ideas on how I can achieve this?

Thanks a lot!

Tags (2)
0 Karma
1 Solution

Ayn
Legend

I'd extract the "type1" value as a field and then create a transaction.

... | transaction maxevents=2 startswith="GET | FAIL"

Alternatively if you have some kind of unique identifier that connects the two, using a subsearch is more efficient. Say your log looks more like this:

id592 | GET | FAIL | 1000ms
id592 | type1

Then you could extract the identifier (let's call the field "id") and the type1 value ("type") and do:

type=* [search "GET | FAIL" | fields id]

View solution in original post

Ayn
Legend

I'd extract the "type1" value as a field and then create a transaction.

... | transaction maxevents=2 startswith="GET | FAIL"

Alternatively if you have some kind of unique identifier that connects the two, using a subsearch is more efficient. Say your log looks more like this:

id592 | GET | FAIL | 1000ms
id592 | type1

Then you could extract the identifier (let's call the field "id") and the type1 value ("type") and do:

type=* [search "GET | FAIL" | fields id]

View solution in original post

Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!