Splunk Search

Splunk Append Query

NishantKrishna
Loves-to-Learn

I am using the below query to merge 2 queries using append. However, I am unable to get the value of the field named "Code" from the first query under | search "Some Logger" printed in the Statistics section:

index=*
sourcetype=*
host=*
| search "Some Logger"
| rex "LoggerName\|(?<time>\w+)\|(?<Service>\w+)\|(?<Type>\w+)\|(?<brand>\w+)\|(?<template>\w+)\|(?<hashId>[\w-]+)\|(?<Code>\w+)"
| table Code
| append
[ search
host=*
| search "LoggerName2*"
| rex field=_raw "field1=(?<field1>)\}"
| rex field=_raw "field2=(?<field2>),"
| rex field=_raw "field3=(?<field3>[a-zA-z-_0-9\\s]*)"
| rex field=_raw "(?<field4>[\w-]+)$"
| rex field=_raw "field5=(?<field5>),"
| rex field=_raw "field6=(?<field6>),"
| table field1,field2
]

The result from the 2nd/child query i.e. | search "LoggerName2*" is printing just fine in a tabular format.

Value of the code field is API response code i.e. can be either 2XX, 3XX, 4XX, 5XX.
Could someone please help ? Thanks!

Labels (1)
0 Karma

NishantKrishna
Loves-to-Learn

Logger 1 events:

2024-02-08 16:46:00.353 INFO 54208 ---[XX_XX:XXX-XX-XXX][cutor-thread-22] XXXXXXXXX : <LoggerName1>|17327025|field|field|field|field|field|200

 

Logger 2 events:

2024-02-13 13:58:24.174 INFO 54208 ---[XX_XX:xx-xxx-xxx][utor-thread-XXX] c.l.s.d.a.XXXXXXX : XXX-XXX-20000: XXX: true, XXX: XXXXXXXXXXX0305a8a3f369f518,

XXXX: 6shfsgj7601f909<LoggerName2> {notificationDetails={key=XXX, key=hXXXXXn@XX.com , key=XXXXX, key=XXX, key=donotreply@XXX.co.uk, key=XXX63801, key=XXX_20240213, key=XXX_BATCH}, templateVariables={key=XXXX7757key=9NE, key=Mr, key=Mau}} , 583d6bc3-5e7d-4af8-a626-22db8bb50cb9

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Your regex do not match your sample events, for example, the logger1 regex could look like this (assuming your example event is accurate):

| rex "\<LoggerName\d\>\|(?<time>\w+)\|(?<Service>\w+)\|(?<Type>\w+)\|(?<brand>\w+)\|(?<template>\w+)\|(?<hashId>[\w-]+)\|(?<Code>\w+)"
0 Karma

NishantKrishna
Loves-to-Learn

It' still not working. 

Below is my full event :

c.l.s.d.a.NotificationResourceController : API EXECUTION TIME|field1|field2|field3|field4|field5|field6|field7

field1 - time in ms

field2/field3 - mode of comms in caps letter

field4 - brand in caps letter

field5 - templateName( e.g. XX_YYYYYYY_ZZZ_XXX )

field6 - hashID

field7 - responsecode (2xx,3xx,4xx or 5xx)

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Regex is a pattern matching algorithm. The problem with dummy data as you have provided is that if it doesn't accurately enough match the actual data, the regex used will not work. Please share an accurate representation of your events in a code block </> so that formatting is preserved as this is important for pattern recognition.

0 Karma

NishantKrishna
Loves-to-Learn

Attached log snippetLog.png

0 Karma

NishantKrishna
Loves-to-Learn

SplunkResult.png

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You would have to share some sample events (anonymised of course) in order for us to determine why your rex command is not extracting the code for you

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...