Two Differnet searches in same index match second ...

chetan022 · ‎12-16-2020

I have Two Different searches in same index, In the first search I have to find using user ID and Session ID But in other second search I have to match my first Session ID with second search result and final O/P will be total count. Can you please help me with above scenario ?

to4kawa · ‎12-17-2020

index=your_index (first search) OR (second search)
| stats count count(User_ID) as flag by session_ID
| where flag > 0
| stats sum(count) as total

chetan022 · ‎12-18-2020

Hi,

My scenario is so simple.

1. There is one index [But logs are in different place, i.e We can use same index with search but in different search window if we do OR , AND operation in single query is not able to find]

2. In the First query we need to search a. Session id B. and policy starts with some no like 4*

3. In Second search we need to check error/exception with same session id in next line [Same session ID that we captured in first query]

@to4kawa Please help

chetan022 · ‎12-20-2020

Hi ,

Here are the logs :

2020-12-09 09:57:48 | absc | THIS IS TEST | -SessionID :SGDGDJEYEUEUU3455 | Search1 Here : {Policynumber:4567

2020-12-09 10:05:39 | ERROR | Exception@Test Details- - Session SGDGDJEYEUEUU3455

Here Index is same but logs are different place...

In the First query we need to search a. Session id B. and policy starts with some no like 4*

3. In Second search we need to check error/exception with same session id in next line [Same session ID that we captured in first query]

Here in pur case session id is :SGDGDJEYEUEUU3455 but in first log it is Session ID and in Second search it is only Session.

to4kawa · ‎12-21-2020

|makeresults
| eval _raw="2020-12-09 09:57:48 | absc | THIS IS TEST | -SessionID :SGDGDJEYEUEUU3455 | Search1 Here : {Policynumber:4567
2020-12-09 10:05:39 | ERROR | Exception@Test Details- - Session SGDGDJEYEUEUU3455"
| multikv noheader=t
| fields _raw
| rename COMMENT as "your sample"
| rex "Session.*? (?:\:?)(?<session>\w+)"
| stats values(_raw) as _raw by session

You can extract it with a regular expression.

chetan022 · ‎12-21-2020

Hi ,

I am sorry I am new to Splunk I tried but no luck. I think its confusing you...I m re-framing it again...

Logs :

1. 2020-12-09 09:57:48 | absc | THIS IS TEST ONE | -SessionID : SGDGDJEYEUEUU3455 | Search1 Here : {Policynumber:4567 [Assume this is on one log file]

2. 2020-12-09 10:05:39 | ERROR | Exception@Test Details- - Session SGDGDJEYEUEUU3455 [Assume this is on another log file]

Here, Index is same we can say index=abcdrf

But scenario is , First We need to search session id and policy starts with 45 from Log 1

and in 2nd Log check for Exception@Test Details with same session id in next line

And Finally We need count for same session Count.

to4kawa · ‎12-21-2020

index=abcdrf (Policy=45* OR "Exception@Test Details")
| eval flag=if(searchmatch("Exception@Test Details"),"second","first")
| stats count dc(flag) by flag by session
| where flag > 1

See the documentation for the meaning of the commands.

to4kawa · ‎12-18-2020

I don't have a log, so I'm not sure.

Two Differnet searches in same index match second search with first Key-value

field extraction

fields

join

stats

subsearch

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life