Re: Splunk Append Query

NishantKrishna · ‎02-13-2024

I am using the below query to merge 2 queries using append. However, I am unable to get the value of the field named "Code" from the first query under | search "Some Logger" printed in the Statistics section:

index=*
sourcetype=*
host=*
| search "Some Logger"
| rex "LoggerName\|(?<time>\w+)\|(?<Service>\w+)\|(?<Type>\w+)\|(?<brand>\w+)\|(?<template>\w+)\|(?<hashId>[\w-]+)\|(?<Code>\w+)"
| table Code
| append
[ search
host=*
| search "LoggerName2*"
| rex field=_raw "field1=(?<field1>)\}"
| rex field=_raw "field2=(?<field2>),"
| rex field=_raw "field3=(?<field3>[a-zA-z-_0-9\\s]*)"
| rex field=_raw "(?<field4>[\w-]+)$"
| rex field=_raw "field5=(?<field5>),"
| rex field=_raw "field6=(?<field6>),"
| table field1,field2
]

The result from the 2nd/child query i.e. | search "LoggerName2*" is printing just fine in a tabular format.

Value of the code field is API response code i.e. can be either 2XX, 3XX, 4XX, 5XX.
Could someone please help ? Thanks!

NishantKrishna · ‎02-13-2024

Logger 1 events:

Logger 2 events:

2024-02-13 13:58:24.174 INFO 54208 ---[XX_XX:xx-xxx-xxx][utor-thread-XXX] c.l.s.d.a.XXXXXXX : XXX-XXX-20000: XXX: true, XXX: XXXXXXXXXXX0305a8a3f369f518,

XXXX: 6shfsgj7601f909<LoggerName2> {notificationDetails={key=XXX, key=hXXXXXn@XX.com , key=XXXXX, key=XXX, key=donotreply@XXX.co.uk, key=XXX63801, key=XXX_20240213, key=XXX_BATCH}, templateVariables={key=XXXX7757, key=9NE, key=Mr, key=Mau}} , 583d6bc3-5e7d-4af8-a626-22db8bb50cb9

ITWhisperer · ‎02-13-2024

Your regex do not match your sample events, for example, the logger1 regex could look like this (assuming your example event is accurate):

| rex "\<LoggerName\d\>\|(?<time>\w+)\|(?<Service>\w+)\|(?<Type>\w+)\|(?<brand>\w+)\|(?<template>\w+)\|(?<hashId>[\w-]+)\|(?<Code>\w+)"

NishantKrishna · ‎02-13-2024

field1 - time in ms

field2/field3 - mode of comms in caps letter

field4 - brand in caps letter

field5 - templateName( e.g. XX_YYYYYYY_ZZZ_XXX )

field6 - hashID

field7 - responsecode (2xx,3xx,4xx or 5xx)

ITWhisperer · ‎02-13-2024

Regex is a pattern matching algorithm. The problem with dummy data as you have provided is that if it doesn't accurately enough match the actual data, the regex used will not work. Please share an accurate representation of your events in a code block </> so that formatting is preserved as this is important for pattern recognition.

NishantKrishna · ‎02-13-2024

Attached log snippet

NishantKrishna · ‎02-13-2024

ITWhisperer · ‎02-13-2024

You would have to share some sample events (anonymised of course) in order for us to determine why your rex command is not extracting the code for you

Splunk Append Query

field extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation