Splunk Search

Splunk Append Query

NishantKrishna
Loves-to-Learn

I am using the below query to merge 2 queries using append. However, I am unable to get the value of the field named "Code" from the first query under | search "Some Logger" printed in the Statistics section:

index=*
sourcetype=*
host=*
| search "Some Logger"
| rex "LoggerName\|(?<time>\w+)\|(?<Service>\w+)\|(?<Type>\w+)\|(?<brand>\w+)\|(?<template>\w+)\|(?<hashId>[\w-]+)\|(?<Code>\w+)"
| table Code
| append
[ search
host=*
| search "LoggerName2*"
| rex field=_raw "field1=(?<field1>)\}"
| rex field=_raw "field2=(?<field2>),"
| rex field=_raw "field3=(?<field3>[a-zA-z-_0-9\\s]*)"
| rex field=_raw "(?<field4>[\w-]+)$"
| rex field=_raw "field5=(?<field5>),"
| rex field=_raw "field6=(?<field6>),"
| table field1,field2
]

The result from the 2nd/child query i.e. | search "LoggerName2*" is printing just fine in a tabular format.

Value of the code field is API response code i.e. can be either 2XX, 3XX, 4XX, 5XX.
Could someone please help ? Thanks!

Labels (1)
0 Karma

NishantKrishna
Loves-to-Learn

Logger 1 events:

2024-02-08 16:46:00.353 INFO 54208 ---[XX_XX:XXX-XX-XXX][cutor-thread-22] XXXXXXXXX : <LoggerName1>|17327025|field|field|field|field|field|200

 

Logger 2 events:

2024-02-13 13:58:24.174 INFO 54208 ---[XX_XX:xx-xxx-xxx][utor-thread-XXX] c.l.s.d.a.XXXXXXX : XXX-XXX-20000: XXX: true, XXX: XXXXXXXXXXX0305a8a3f369f518,

XXXX: 6shfsgj7601f909<LoggerName2> {notificationDetails={key=XXX, key=hXXXXXn@XX.com , key=XXXXX, key=XXX, key=donotreply@XXX.co.uk, key=XXX63801, key=XXX_20240213, key=XXX_BATCH}, templateVariables={key=XXXX7757key=9NE, key=Mr, key=Mau}} , 583d6bc3-5e7d-4af8-a626-22db8bb50cb9

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Your regex do not match your sample events, for example, the logger1 regex could look like this (assuming your example event is accurate):

| rex "\<LoggerName\d\>\|(?<time>\w+)\|(?<Service>\w+)\|(?<Type>\w+)\|(?<brand>\w+)\|(?<template>\w+)\|(?<hashId>[\w-]+)\|(?<Code>\w+)"
0 Karma

NishantKrishna
Loves-to-Learn

It' still not working. 

Below is my full event :

c.l.s.d.a.NotificationResourceController : API EXECUTION TIME|field1|field2|field3|field4|field5|field6|field7

field1 - time in ms

field2/field3 - mode of comms in caps letter

field4 - brand in caps letter

field5 - templateName( e.g. XX_YYYYYYY_ZZZ_XXX )

field6 - hashID

field7 - responsecode (2xx,3xx,4xx or 5xx)

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Regex is a pattern matching algorithm. The problem with dummy data as you have provided is that if it doesn't accurately enough match the actual data, the regex used will not work. Please share an accurate representation of your events in a code block </> so that formatting is preserved as this is important for pattern recognition.

0 Karma

NishantKrishna
Loves-to-Learn

Attached log snippetLog.png

0 Karma

NishantKrishna
Loves-to-Learn

SplunkResult.png

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You would have to share some sample events (anonymised of course) in order for us to determine why your rex command is not extracting the code for you

0 Karma
Get Updates on the Splunk Community!

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...

Splunk AppDynamics Agents Webinar Series

Mark your calendars! On June 24th at 12PM PST, we’re going live with the second session of our Splunk ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...