Splunk Search

Subsearch multi queries

New Member

Hi Team
I have requirement to get api's triggered by per custkey in a single query

query 1:

/token host="test-host-*" custkey="*-*-*" | stats values(transid) as transid by custkey
Note: transids are possible to have more than. one per custmkey
output looks like below

----------------------------------------
|     custkey     |      transid       |
----------------------------------------
|     sdsdamndka  |      dkjndkwndkw   |
|                 |      ljdosjdowqsj   |
----------------------------------------
|   hdshsihdiwh   |      ndskndkndkq   |
----------------------------------------

query 2:

some-srting (transid from query 1 output)   | stats list(bearer)
output looks like below

euwgw4f56vxevd7vst6q8qq

query 3:

(bearer from query 2)  "test-host-*" | table apis, token_api_status
output looks like below

-----------------------------
apis            |    token_api_status |
-----------------------------
| /api/te1     | 200       |
-----------------------------
|  /api/te2.    | 200.     |
-----------------------------
| /api/te3      | 400      |
-----------------------------

I want to get all apis list and token_api_status per custmkey as shown below using a single query

-----------------------------------
custkey   | apis     | token_api_status |
-----------------------------------
dhsjhds    |  /api/te1 |  200     |
           | /api/te2 | 200      |
------------------------------------
rufidfhj   | /api/jh1  |  200  |
           | /api/jh2  | 200   |
--------------------------------------

So, Here I want relate custkey (query 1) with apis, token_api_status,

could you please help me to achieve this.

0 Karma

SplunkTrust
SplunkTrust

Okay, so you have three kinds of records.

Record ONE

host  custkey transid

Record TWO

transid bearer

Record THREE

host bearer apis token_api_status

The following code assumes that the data appears on three distinguishable records. If that is not right, then the query can be made simpler.

You do this in a single query that looks like this

(index=foo1 sourcetype=bar1 host="test-host-*" custkey="*-*-*" transid=*) OR
(index=foo2 sourcetype=bar2 transid=* bearer=*) OR
(index=foo3 sourcetype=bar3 host="test-host-*" bearer=* apis=* token_api_status=*)

| rename COMMENT as "Each one of the above conditions selects a single kind of record"
| rename COMMENT as "Keep only the fields you need"
| fields index sourcetype host custkey transid bearer apis token_api_status

| rename COMMENT as "Roll the custkey from record ONE over to the record TWOs"
| rename COMMENT as "Then throw away the record ONEs"
| eventstats values(custkey) as custkey by transid
| where (it/is/not/record/one)

| rename COMMENT as "Roll the api data from record THREE over to the record TWOs"
| rename COMMENT as "Then throw away the record THREEs"
| eventstats list(apis) as apis list(token_api_status) as token_api_status by transid
| where (it/is/not/record/three)

and you now have your combined records.

It may need slight modifications if you plan to do any further processing with it.

For instance, if you can have multiple responses for a single token, and only need the most recent token_api_status, then you might need to set up some deduping.

Or, if you plan to do further processing with each Api and response, then maybe it might be better to roll the customer over from the Record TWOs and throw them away, so you have one remaining record per api call.

0 Karma

SplunkTrust
SplunkTrust

Be sure to mark your code so that the html-like aspects don't disappear.

0 Karma

Ultra Champion

you should display the details.

  1. sourcetype and where fields are.
  2. query with using code sample and result
  3. sample logs
0 Karma

New Member

Hi, We are using above queries to get apis list, and i given sample output as well.
My requirement is, I want to fetch apis list per custkey.

0 Karma