Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Subsearch / query with inputlookup

Cranie
Explorer
‎09-01-2023 04:50 AM

Apologies, I am quite new to Splunk so not sure if this is possible, I have the following simple query:

 

 

| inputlookup appJobLogs
| where match(MessageText, "(?i)general error")
| rex mode=sed field=MessageText "s/, /\n/g"
| sort RunStartTimeStamp asc, LogTimeStamp asc, LogID ASC

 

 

 

This works and gets the data I need for the error I am after, but, I want all associated values for the error by RunID.

So the headers are:
Host, InvocationID, Name, LogID, LogTS, LogName, MessageID, MessageText, RunID, RunTS, RunName

I would like to do something like:

 

 

| inputlookup appJobLogs
| where RunID in [
  | search appJobLogs
  | where match(MessageText, "(?i)general error")
  | fields RunID
]

 

 

I have tried various forms and closest I got was a join which gave me the not found fields (should be fixable) but limited to 10,000 results so that seems like the wrong solution.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-01-2023 05:17 AM

Try something like this

| inputlookup appJobLogs where [
  | search appJobLogs
  | where match(MessageText, "(?i)general error")
  | fields RunID
]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-01-2023 05:17 AM

Try something like this

| inputlookup appJobLogs where [
  | search appJobLogs
  | where match(MessageText, "(?i)general error")
  | fields RunID
]
0 Karma
Reply
Solved! Jump to solution

Cranie
Explorer
‎09-01-2023 07:31 AM

After a little tweaking this gives the desired results:

| inputlookup appJobLogs
| search [ | inputlookup appJobLogs
| where match(MessageText, "(?i)general error")
| fields RunID
| uniq
| format
]
| rex mode=sed field=MessageText "s/, /\n/g"
| sort RunStartTimeStamp asc, LogTimeStamp asc, LogID ASC
Reply
Solved! Jump to solution

Cranie
Explorer
‎09-01-2023 07:01 AM

I got an error 

"The 'NOT ()' filter could not be optimized for search results."

I'll look into. Thanks for the suggestion

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-01-2023 05:14 AM

If you want events grouped by one or more fields then you want the stats command.

| inputlookup appJobLogs
| where match(MessageText, "(?i)general error")
| rex mode=sed field=MessageText "s/, /\n/g"
| stats values(*) as * by RunID

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Cranie
Explorer
‎09-01-2023 07:05 AM

This is pretty much what I want, but there are other RunID lines that do not have the "general error" message that I want to capture also. So your example groups all RunID's and the MessageText with "general error".

 

What I need is, all RunID entries for the RunID with MessageText "general error".

I.e:

 

RunIdMessageText
1Start
1There has been a general error.
1Finish
2Start

 

So I find the RunID 1 having the error and I want to output the start, finish and the error too. If that is possible, and in this example, not RunID 2.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...