Search Between Two Files with output of one file (...

bansi · ‎12-07-2010

We have a requirement to search with two files

1) Search on File 1 to produce a list of ids

2) The List of Ids will then be passed as input to File 2

3) For each id in the List , we have to match all the occurences of id in File 2 and print the search results

I am able to search on File 1 and able to extract List of ids using following regex Here is the regex

source="SPLUNK_File1_SERVICE_Log.txt"  | fields +  contractId, authorizedInd | fields - _raw | where isnotnull(contractId) and authorizedInd="N"

I am not sure how to pass this List of contractIds as Input to File 2 . Also i am not sure how to loop through the List of contractIds and for each contractId find all the occurences in File 2.

The following regex returns no rows

[search source="Test_ContractIds_Log"  | dedup contractId | fields + contractId |  where isnotnull(contractId) ] source="Test_Log.txt" | xmlkv entry | rex "(?i)\<TransactionAttributes\>\<entry key=\"CONTRACT_ID\"\>(?<contractId>[^\<]+)" |  table contractId, memberId

woodcock · ‎05-26-2015

Use the map command like this:

source=source1 | dedup source1ID | map search="source=source2 source2ID=$source1ID$"

bansi · ‎12-09-2010

Suprisingly no comments yet. Hopefully someone will answer it. I am able to search on File2 with hard-coding the value of "id" in the where clause i.e.
....| where id='123'
but in real-time the value of id has to come from File 1. Infact for each value of id in File 1 will be supplied as input to search query

Search Between Two Files with output of one file (i.e. List of ids) passed as input to other file

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)