Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Subsearch / query with inputlookup

Cranie
Explorer
‎09-01-2023 04:50 AM

Apologies, I am quite new to Splunk so not sure if this is possible, I have the following simple query:

 

 

| inputlookup appJobLogs
| where match(MessageText, "(?i)general error")
| rex mode=sed field=MessageText "s/, /\n/g"
| sort RunStartTimeStamp asc, LogTimeStamp asc, LogID ASC

 

 

 

This works and gets the data I need for the error I am after, but, I want all associated values for the error by RunID.

So the headers are:
Host, InvocationID, Name, LogID, LogTS, LogName, MessageID, MessageText, RunID, RunTS, RunName

I would like to do something like:

 

 

| inputlookup appJobLogs
| where RunID in [
  | search appJobLogs
  | where match(MessageText, "(?i)general error")
  | fields RunID
]

 

 

I have tried various forms and closest I got was a join which gave me the not found fields (should be fixable) but limited to 10,000 results so that seems like the wrong solution.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-01-2023 05:17 AM

Try something like this

| inputlookup appJobLogs where [
  | search appJobLogs
  | where match(MessageText, "(?i)general error")
  | fields RunID
]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-01-2023 05:17 AM

Try something like this

| inputlookup appJobLogs where [
  | search appJobLogs
  | where match(MessageText, "(?i)general error")
  | fields RunID
]
0 Karma
Reply
Solved! Jump to solution

Cranie
Explorer
‎09-01-2023 07:31 AM

After a little tweaking this gives the desired results:

| inputlookup appJobLogs
| search [ | inputlookup appJobLogs
| where match(MessageText, "(?i)general error")
| fields RunID
| uniq
| format
]
| rex mode=sed field=MessageText "s/, /\n/g"
| sort RunStartTimeStamp asc, LogTimeStamp asc, LogID ASC
Reply
Solved! Jump to solution

Cranie
Explorer
‎09-01-2023 07:01 AM

I got an error 

"The 'NOT ()' filter could not be optimized for search results."

I'll look into. Thanks for the suggestion

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-01-2023 05:14 AM

If you want events grouped by one or more fields then you want the stats command.

| inputlookup appJobLogs
| where match(MessageText, "(?i)general error")
| rex mode=sed field=MessageText "s/, /\n/g"
| stats values(*) as * by RunID

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Cranie
Explorer
‎09-01-2023 07:05 AM

This is pretty much what I want, but there are other RunID lines that do not have the "general error" message that I want to capture also. So your example groups all RunID's and the MessageText with "general error".

 

What I need is, all RunID entries for the RunID with MessageText "general error".

I.e:

 

RunIdMessageText
1Start
1There has been a general error.
1Finish
2Start

 

So I find the RunID 1 having the error and I want to output the start, finish and the error too. If that is possible, and in this example, not RunID 2.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...