Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Subsearch / query with inputlookup

Cranie
Explorer
‎09-01-2023 04:50 AM

Apologies, I am quite new to Splunk so not sure if this is possible, I have the following simple query:

 

 

| inputlookup appJobLogs
| where match(MessageText, "(?i)general error")
| rex mode=sed field=MessageText "s/, /\n/g"
| sort RunStartTimeStamp asc, LogTimeStamp asc, LogID ASC

 

 

 

This works and gets the data I need for the error I am after, but, I want all associated values for the error by RunID.

So the headers are:
Host, InvocationID, Name, LogID, LogTS, LogName, MessageID, MessageText, RunID, RunTS, RunName

I would like to do something like:

 

 

| inputlookup appJobLogs
| where RunID in [
  | search appJobLogs
  | where match(MessageText, "(?i)general error")
  | fields RunID
]

 

 

I have tried various forms and closest I got was a join which gave me the not found fields (should be fixable) but limited to 10,000 results so that seems like the wrong solution.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-01-2023 05:17 AM

Try something like this

| inputlookup appJobLogs where [
  | search appJobLogs
  | where match(MessageText, "(?i)general error")
  | fields RunID
]

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-01-2023 05:17 AM

Try something like this

| inputlookup appJobLogs where [
  | search appJobLogs
  | where match(MessageText, "(?i)general error")
  | fields RunID
]
Reply
Solved! Jump to solution

Cranie
Explorer
‎09-01-2023 07:31 AM

After a little tweaking this gives the desired results:

| inputlookup appJobLogs
| search [ | inputlookup appJobLogs
| where match(MessageText, "(?i)general error")
| fields RunID
| uniq
| format
]
| rex mode=sed field=MessageText "s/, /\n/g"
| sort RunStartTimeStamp asc, LogTimeStamp asc, LogID ASC
Reply
Solved! Jump to solution

Cranie
Explorer
‎09-01-2023 07:01 AM

I got an error 

"The 'NOT ()' filter could not be optimized for search results."

I'll look into. Thanks for the suggestion

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-01-2023 05:14 AM

If you want events grouped by one or more fields then you want the stats command.

| inputlookup appJobLogs
| where match(MessageText, "(?i)general error")
| rex mode=sed field=MessageText "s/, /\n/g"
| stats values(*) as * by RunID

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Cranie
Explorer
‎09-01-2023 07:05 AM

This is pretty much what I want, but there are other RunID lines that do not have the "general error" message that I want to capture also. So your example groups all RunID's and the MessageText with "general error".

 

What I need is, all RunID entries for the RunID with MessageText "general error".

I.e:

 

RunIdMessageText
1Start
1There has been a general error.
1Finish
2Start

 

So I find the RunID 1 having the error and I want to output the start, finish and the error too. If that is possible, and in this example, not RunID 2.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...