Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Two Differnet searches in same index match second search with first Key-value

chetan022
Engager
‎12-16-2020 04:09 AM

I have Two Different searches in same index, In the first search I have to find using user ID and Session ID But in other second search I have to match my first Session ID with second search result and final O/P will be total count. Can you please help me with above scenario ?

Labels (5)
0 Karma
Reply

to4kawa
Ultra Champion
‎12-17-2020 12:15 PM

index=your_index (first search) OR (second search)
| stats count count(User_ID) as flag by session_ID
| where flag > 0
| stats sum(count) as total

0 Karma
Reply

chetan022
Engager
‎12-18-2020 12:46 AM

Hi,

My scenario is so simple. 

1. There is one index  [But logs are in different place, i.e We can use same index with search but in different search window if we do OR , AND operation in single query is not able to find]

2. In the First query we need to search  a. Session id  B. and policy starts with some no like 4*

3. In Second search we need to check error/exception  with  same session id in next line [Same session ID that we captured in first query]

 

@to4kawa Please help 

0 Karma
Reply

chetan022
Engager
‎12-20-2020 11:15 PM

Hi ,

Here are the logs :

2020-12-09 09:57:48 | absc | THIS IS TEST | -SessionID :SGDGDJEYEUEUU3455 | Search1 Here : {Policynumber:4567

2020-12-09 10:05:39 | ERROR | Exception@Test Details- - Session SGDGDJEYEUEUU3455

Here Index is same but logs are different place...

In the First query we need to search a. Session id B. and policy starts with some no like 4*

3. In Second search we need to check error/exception with same session id in next line [Same session ID that we captured in first query]

Here in pur case session id is :SGDGDJEYEUEUU3455 but in first log it is Session ID and in Second search it is only Session.

0 Karma
Reply

to4kawa
Ultra Champion
‎12-21-2020 01:48 AM 
|makeresults
| eval _raw="2020-12-09 09:57:48 | absc | THIS IS TEST | -SessionID :SGDGDJEYEUEUU3455 | Search1 Here : {Policynumber:4567
2020-12-09 10:05:39 | ERROR | Exception@Test Details- - Session SGDGDJEYEUEUU3455"
| multikv noheader=t
| fields _raw
| rename COMMENT as "your sample"
| rex "Session.*? (?:\:?)(?<session>\w+)"
| stats values(_raw) as _raw by session

You can extract it with a regular expression.

0 Karma
Reply

chetan022
Engager
‎12-21-2020 03:19 AM

Hi ,

I am sorry I am new to Splunk I tried but no luck. I think its confusing you...I m re-framing it again...

Logs : 

1. 2020-12-09 09:57:48 | absc | THIS IS TEST ONE | -SessionID : SGDGDJEYEUEUU3455 | Search1 Here : {Policynumber:4567 [Assume this is on one log file]

2. 2020-12-09 10:05:39 | ERROR | Exception@Test Details- - Session SGDGDJEYEUEUU3455 [Assume this is on another log file]

Here, Index is same we can say index=abcdrf

But scenario is , First We need to search session id and policy starts with 45 from Log 1

and in 2nd Log check for Exception@Test Details with same session id in next line

And Finally We need count for same session Count.

0 Karma
Reply

to4kawa
Ultra Champion
‎12-21-2020 03:50 AM

index=abcdrf (Policy=45* OR "Exception@Test Details")
| eval flag=if(searchmatch("Exception@Test Details"),"second","first")
| stats count dc(flag) by flag by session
| where flag > 1

See the documentation for the meaning of the commands.

 

0 Karma
Reply

to4kawa
Ultra Champion
‎12-18-2020 05:10 PM

I don't have a log, so I'm not sure.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...