Re: Splunk Append Query

NishantKrishna · ‎02-13-2024

I am using the below query to merge 2 queries using append. However, I am unable to get the value of the field named "Code" from the first query under | search "Some Logger" printed in the Statistics section:

index=*
sourcetype=*
host=*
| search "Some Logger"
| rex "LoggerName\|(?<time>\w+)\|(?<Service>\w+)\|(?<Type>\w+)\|(?<brand>\w+)\|(?<template>\w+)\|(?<hashId>[\w-]+)\|(?<Code>\w+)"
| table Code
| append
[ search
host=*
| search "LoggerName2*"
| rex field=_raw "field1=(?<field1>)\}"
| rex field=_raw "field2=(?<field2>),"
| rex field=_raw "field3=(?<field3>[a-zA-z-_0-9\\s]*)"
| rex field=_raw "(?<field4>[\w-]+)$"
| rex field=_raw "field5=(?<field5>),"
| rex field=_raw "field6=(?<field6>),"
| table field1,field2
]

The result from the 2nd/child query i.e. | search "LoggerName2*" is printing just fine in a tabular format.

Value of the code field is API response code i.e. can be either 2XX, 3XX, 4XX, 5XX.
Could someone please help ? Thanks!

NishantKrishna · ‎02-13-2024

Logger 1 events:

Logger 2 events:

2024-02-13 13:58:24.174 INFO 54208 ---[XX_XX:xx-xxx-xxx][utor-thread-XXX] c.l.s.d.a.XXXXXXX : XXX-XXX-20000: XXX: true, XXX: XXXXXXXXXXX0305a8a3f369f518,

XXXX: 6shfsgj7601f909<LoggerName2> {notificationDetails={key=XXX, key=hXXXXXn@XX.com , key=XXXXX, key=XXX, key=donotreply@XXX.co.uk, key=XXX63801, key=XXX_20240213, key=XXX_BATCH}, templateVariables={key=XXXX7757, key=9NE, key=Mr, key=Mau}} , 583d6bc3-5e7d-4af8-a626-22db8bb50cb9

ITWhisperer · ‎02-13-2024

Your regex do not match your sample events, for example, the logger1 regex could look like this (assuming your example event is accurate):

| rex "\<LoggerName\d\>\|(?<time>\w+)\|(?<Service>\w+)\|(?<Type>\w+)\|(?<brand>\w+)\|(?<template>\w+)\|(?<hashId>[\w-]+)\|(?<Code>\w+)"

NishantKrishna · ‎02-13-2024

field1 - time in ms

field2/field3 - mode of comms in caps letter

field4 - brand in caps letter

field5 - templateName( e.g. XX_YYYYYYY_ZZZ_XXX )

field6 - hashID

field7 - responsecode (2xx,3xx,4xx or 5xx)

ITWhisperer · ‎02-13-2024

Regex is a pattern matching algorithm. The problem with dummy data as you have provided is that if it doesn't accurately enough match the actual data, the regex used will not work. Please share an accurate representation of your events in a code block </> so that formatting is preserved as this is important for pattern recognition.

NishantKrishna · ‎02-13-2024

Attached log snippet

NishantKrishna · ‎02-13-2024

ITWhisperer · ‎02-13-2024

You would have to share some sample events (anonymised of course) in order for us to determine why your rex command is not extracting the code for you

Splunk Append Query

field extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation