Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Search result not in second with rex fields

drew_eckhardt
Engager
‎12-29-2021 11:19 AM

I want to look for requests in a service mesh ingest log which have no corresponding application log entries.

My first search is 

index=kubernetes source=*envoy-proxy*  (api.foo.com OR info) AND downstream_remote_disconnect 
| rex field=_raw "\[[^\]]+\] \"(?<downstream>[^\"]+)\".*\"(POST|GET) \"(?<host>[^\"]+)\" \"(?<path>[^\"\?]+)[\?]?\" [^\"]+\" (?<status>\d+).*\"(?<id1>[0-9a-f]{8})-(?<id2>[0-9a-f]{4})-(?<id3>[0-9a-f]{4})"
| eval id=id1.id2.id3
| fields id

my second search is 

index=kubernetes source=*proxy* operation:
| rex field=_raw "span_id:(?<id>[0-9a-f]{16});"
| fields id

and the obvious way of combining them yields no results

index=kubernetes source=*envoy-proxy*  (api.foo.com OR info) AND downstream_remote_disconnect 
| rex field=_raw "\[[^\]]+\] \"(?<downstream>[^\"]+)\".*\"(POST|GET) \"(?<host>[^\"]+)\" \"(?<path>[^\"\?]+)[\?]?\" [^\"]+\" (?<status>\d+).*\"(?<id1>[0-9a-f]{8})-(?<id2>[0-9a-f]{4})-(?<id3>[0-9a-f]{4})"
| eval id=id1.id2.id3
| fields id
| search NOT [
search index=kubernetes source=*proxy* operation:
| rex field=_raw "span_id:(?<id>[0-9a-f]{16});"
| fields id
]
Labels (3)
Labels
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-29-2021 11:34 AM

Do the two searches work independently?  Do they produce id field values that match?

If the two searches produce the same set of IDs then they'll cancel each other out and you'll get no results.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

drew_eckhardt
Engager
‎12-29-2021 11:46 AM

The searches work independently.

The first search has events with id fields that do not exist in the second search.

I learned this when I manually went through 50+ entries from the first search and looked for them with an AND clause in the second search producing no matches.

I'd like to automate that process.

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-29-2021 01:11 PM

Have you tried formatting the results of the second search?

index=kubernetes source=*envoy-proxy*  (api.foo.com OR info) AND downstream_remote_disconnect 
| rex field=_raw "\[[^\]]+\] \"(?<downstream>[^\"]+)\".*\"(POST|GET) \"(?<host>[^\"]+)\" \"(?<path>[^\"\?]+)[\?]?\" [^\"]+\" (?<status>\d+).*\"(?<id1>[0-9a-f]{8})-(?<id2>[0-9a-f]{4})-(?<id3>[0-9a-f]{4})"
| eval id=id1.id2.id3
| fields id
| search NOT [
  search index=kubernetes source=*proxy* operation:
  | rex field=_raw "span_id:(?<id>[0-9a-f]{16});"
  | fields id
  | format
  ]
---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...