Re: Search Between Two Files with output of one fi...

bansi · ‎12-07-2010

We have a requirement to search with two files

1) Search on File 1 to produce a list of ids

2) The List of Ids will then be passed as input to File 2

3) For each id in the List , we have to match all the occurences of id in File 2 and print the search results

I am able to search on File 1 and able to extract List of ids using following regex Here is the regex

source="SPLUNK_File1_SERVICE_Log.txt"  | fields +  contractId, authorizedInd | fields - _raw | where isnotnull(contractId) and authorizedInd="N"

I am not sure how to pass this List of contractIds as Input to File 2 . Also i am not sure how to loop through the List of contractIds and for each contractId find all the occurences in File 2.

The following regex returns no rows

[search source="Test_ContractIds_Log"  | dedup contractId | fields + contractId |  where isnotnull(contractId) ] source="Test_Log.txt" | xmlkv entry | rex "(?i)\<TransactionAttributes\>\<entry key=\"CONTRACT_ID\"\>(?<contractId>[^\<]+)" |  table contractId, memberId

woodcock · ‎05-26-2015

Use the map command like this:

source=source1 | dedup source1ID | map search="source=source2 source2ID=$source1ID$"

bansi · ‎12-09-2010

Suprisingly no comments yet. Hopefully someone will answer it. I am able to search on File2 with hard-coding the value of "id" in the where clause i.e.
....| where id='123'
but in real-time the value of id has to come from File 1. Infact for each value of id in File 1 will be supplied as input to search query

Search Between Two Files with output of one file (i.e. List of ids) passed as input to other file

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?