Splunk Search

Search Between Two Files with output of one file (i.e. List of ids) passed as input to other file

bansi
Path Finder

We have a requirement to search with two files

1) Search on File 1 to produce a list of ids

2) The List of Ids will then be passed as input to File 2

3) For each id in the List , we have to match all the occurences of id in File 2 and print the search results

I am able to search on File 1 and able to extract List of ids using following regex Here is the regex

source="SPLUNK_File1_SERVICE_Log.txt"  | fields +  contractId, authorizedInd | fields - _raw | where isnotnull(contractId) and authorizedInd="N"

I am not sure how to pass this List of contractIds as Input to File 2 . Also i am not sure how to loop through the List of contractIds and for each contractId find all the occurences in File 2.

The following regex returns no rows

[search source="Test_ContractIds_Log"  | dedup contractId | fields + contractId |  where isnotnull(contractId) ] source="Test_Log.txt" | xmlkv entry | rex "(?i)\<TransactionAttributes\>\<entry key=\"CONTRACT_ID\"\>(?<contractId>[^\<]+)" |  table contractId, memberId
Tags (1)
0 Karma

woodcock
Esteemed Legend

Use the map command like this:

source=source1 | dedup source1ID | map search="source=source2 source2ID=$source1ID$"
0 Karma

bansi
Path Finder

Suprisingly no comments yet. Hopefully someone will answer it. I am able to search on File2 with hard-coding the value of "id" in the where clause i.e.
....| where id='123'
but in real-time the value of id has to come from File 1. Infact for each value of id in File 1 will be supplied as input to search query

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...