Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Subsearch / query with inputlookup

Cranie
Explorer
‎09-01-2023 04:50 AM

Apologies, I am quite new to Splunk so not sure if this is possible, I have the following simple query:

 

 

| inputlookup appJobLogs
| where match(MessageText, "(?i)general error")
| rex mode=sed field=MessageText "s/, /\n/g"
| sort RunStartTimeStamp asc, LogTimeStamp asc, LogID ASC

 

 

 

This works and gets the data I need for the error I am after, but, I want all associated values for the error by RunID.

So the headers are:
Host, InvocationID, Name, LogID, LogTS, LogName, MessageID, MessageText, RunID, RunTS, RunName

I would like to do something like:

 

 

| inputlookup appJobLogs
| where RunID in [
  | search appJobLogs
  | where match(MessageText, "(?i)general error")
  | fields RunID
]

 

 

I have tried various forms and closest I got was a join which gave me the not found fields (should be fixable) but limited to 10,000 results so that seems like the wrong solution.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-01-2023 05:17 AM

Try something like this

| inputlookup appJobLogs where [
  | search appJobLogs
  | where match(MessageText, "(?i)general error")
  | fields RunID
]

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-01-2023 05:17 AM

Try something like this

| inputlookup appJobLogs where [
  | search appJobLogs
  | where match(MessageText, "(?i)general error")
  | fields RunID
]
Reply
Solved! Jump to solution

Cranie
Explorer
‎09-01-2023 07:31 AM

After a little tweaking this gives the desired results:

| inputlookup appJobLogs
| search [ | inputlookup appJobLogs
| where match(MessageText, "(?i)general error")
| fields RunID
| uniq
| format
]
| rex mode=sed field=MessageText "s/, /\n/g"
| sort RunStartTimeStamp asc, LogTimeStamp asc, LogID ASC
Reply
Solved! Jump to solution

Cranie
Explorer
‎09-01-2023 07:01 AM

I got an error 

"The 'NOT ()' filter could not be optimized for search results."

I'll look into. Thanks for the suggestion

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-01-2023 05:14 AM

If you want events grouped by one or more fields then you want the stats command.

| inputlookup appJobLogs
| where match(MessageText, "(?i)general error")
| rex mode=sed field=MessageText "s/, /\n/g"
| stats values(*) as * by RunID

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Cranie
Explorer
‎09-01-2023 07:05 AM

This is pretty much what I want, but there are other RunID lines that do not have the "general error" message that I want to capture also. So your example groups all RunID's and the MessageText with "general error".

 

What I need is, all RunID entries for the RunID with MessageText "general error".

I.e:

 

RunIdMessageText
1Start
1There has been a general error.
1Finish
2Start

 

So I find the RunID 1 having the error and I want to output the start, finish and the error too. If that is possible, and in this example, not RunID 2.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...