Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Trying to filter a log using another log with same index

chimuru84
Path Finder
2 weeks ago

Hello. 

I have an index="index", and if I add a field to the search, such as index="index" errorCode, I retrieve logs that contain the needed information, but it returns for all existing countries. This query also contains the field accountId. If I search by: index="index" accountId, I receive logs with country, but I don't have the errorCode. I want to search by index="index" errorCode, and use accountId to filter by country. I tried some subsearches, but no result.  Could someone help me?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
a week ago 
index="index"
| evantstats values(country) as country by accountId
| where country="spain"
| stats count by errorCode

Note that eventstats is a non-streaming command so this may impact performance (although this still may be better than potentially searching the index twice!)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
2 weeks ago

Have you tried

index="index" errorCode accountId
0 Karma
Reply
Solved! Jump to solution

chimuru84
Path Finder
2 weeks ago

Yes, no output. But I need results for many accounts. For example, if I run index="index" errorCode, I receive answers like this:

2025-11-04 Operation name [accountId=12345, errorCode=400]

If I run index="index" accountId, I receive:

2025-11-04 Operation name {accountId=12345, country='spain'}

I want to generate a pie chart for errorCode only for Spain

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
2 weeks ago

How about

index="index" country="spain"
| stats count by errorCode
0 Karma
Reply
Solved! Jump to solution

chimuru84
Path Finder
2 weeks ago

I tried this one too. 

I think I solved by this one: index="index" errorCode [search index="index" countryCode="spain" | fields accountId | dedup accountId] | stats count by errorCode

 

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
2 weeks ago

Ouch. Don't use subsearches unless you are absolutely sure you're aware of their limitations. Same goes for dedup.

Also searching for something from an index in the subsearch and then searching for those items from the same search can surely be done much more efficiently without the subsearch.

Unfortunately your original question was a bit vague. Show us a sample of your data (anonymized/sanitized if needed) and tell us what you want to achieve.

0 Karma
Reply
Solved! Jump to solution

chimuru84
Path Finder
a week ago

@PickleRick 

What I want to do is to receive logs like this below to make a pie chart. So I have this index: index="index", and if I add to this index different fields I receive different outputs. The output below doesn't have fields like countryCode to use to filter logs only for Spain. But contains accountId, and if I add to the search index only accountId, I receive logs with countryCode. This is why I use subsearch to filter logs below only for Spain. Make sense?

run: index="index" errorCode -> receive: 2025-11-04 Operation name [accountId=12345, errorCode=400]

run: index="index" accountId-> receive: 2025-11-04 Operation name {accountId=12345, country='spain'}

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
a week ago

Nope. You're still doing a lot of hand waving.

A pie chart is just a visualization so it's not adding anything to the question.

Again - what data you have and what is the relationship between events if there is any.

Your example two events (if the are not typed in by hand but copy-pasted that would mean you have horribly inconsistent logging format).

receive: 2025-11-04 Operation name [accountId=12345, errorCode=400]
receive: 2025-11-04 Operation name {accountId=12345, country='spain'}

Would suggest that you could (assuming your fields are properly extracted aggregate your data for example with

index=whatever | stats values(errorCode) as errorCode values(country) as country by accountID

That's a typical approach to this kind of problems

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
a week ago 
index="index"
| evantstats values(country) as country by accountId
| where country="spain"
| stats count by errorCode

Note that eventstats is a non-streaming command so this may impact performance (although this still may be better than potentially searching the index twice!)

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
a week ago

It really depends on the use case and data. Unfortunately eventstats can be a memory-hungry command, especially on a high-volume data set so if there is another way, it would be better do find it. 

Reply
Solved! Jump to solution

chimuru84
Path Finder
a week ago

Yes, this gives me better answers. Thank you

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...