Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use extracted field in a subsearch

kochera
Communicator
‎04-05-2011 06:36 AM

Hi,

I would like to combine two searches. The first one gives me the session-id which i would like to use in a second search, e.g.

Query 1: index=main 123.123.123.156 source="/appl/log/www/access.log" |rex field=raw "\"\s\"(?[A-z,0-9,-.]+)"

Query 2: index=main $SessionID$ source="/appl/log/www/access.log"

Cheers, Andy

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎04-05-2011 10:21 AM

Hi kochera

you could use something like that (I used a different regex for this example!):

index="main" 123.123.123.156 source="/appl/log/www/access.log" [search index="main" source="/appl/log/www/access.log" | rex field=_raw "(?i)^(?:[^-]*-){5}\s+(?P.+)" | fields requestid ]

the sub search will result in a list of:

( ( requestid="xxxxxxxxxxxxxxxxx" ) OR ( requestid="xxxxxxxxxxxx" ) OR ( requestid="xxxxxxxxx" ) )

and this will be used in the search.

hope this helps

MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎04-05-2011 10:21 AM

Hi kochera

you could use something like that (I used a different regex for this example!):

index="main" 123.123.123.156 source="/appl/log/www/access.log" [search index="main" source="/appl/log/www/access.log" | rex field=_raw "(?i)^(?:[^-]*-){5}\s+(?P.+)" | fields requestid ]

the sub search will result in a list of:

( ( requestid="xxxxxxxxxxxxxxxxx" ) OR ( requestid="xxxxxxxxxxxx" ) OR ( requestid="xxxxxxxxx" ) )

and this will be used in the search.

hope this helps

MuS

Reply
Solved! Jump to solution

kochera
Communicator
‎04-05-2011 12:51 PM

if I leave the IP away, then I see results but as you mentioned, this doesn't make any sense...

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎04-05-2011 12:36 PM

okay leave the IP completely away in any search; but then I wonder why are you using a sub search anyway?

Reply
Solved! Jump to solution

kochera
Communicator
‎04-05-2011 11:53 AM

yes, that's what I'm trying at the moment

index=main source="/appl/log/www/access.log" [search index=main source="/appl/log/www/access.log" "123.123.123.156" |rex field=raw "\"\s\"(?[A-z,0-9,-.]+)"| fields + sessionid]

But somehow I don't get any results...

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎04-05-2011 11:41 AM

well then just leave the IP away in the main search, then you should see any SessionID of any IP.

Reply
Solved! Jump to solution

kochera
Communicator
‎04-05-2011 11:07 AM

Hi, thanks for your answer. I'm not sure if this gives me the correct result. I would like to check if the same SessionID is used with a different IP-Adress.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...