Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use extracted field in a subsearch

kochera
Communicator
‎04-05-2011 06:36 AM

Hi,

I would like to combine two searches. The first one gives me the session-id which i would like to use in a second search, e.g.

Query 1: index=main 123.123.123.156 source="/appl/log/www/access.log" |rex field=raw "\"\s\"(?[A-z,0-9,-.]+)"

Query 2: index=main $SessionID$ source="/appl/log/www/access.log"

Cheers, Andy

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎04-05-2011 10:21 AM

Hi kochera

you could use something like that (I used a different regex for this example!):

index="main" 123.123.123.156 source="/appl/log/www/access.log" [search index="main" source="/appl/log/www/access.log" | rex field=_raw "(?i)^(?:[^-]*-){5}\s+(?P.+)" | fields requestid ]

the sub search will result in a list of:

( ( requestid="xxxxxxxxxxxxxxxxx" ) OR ( requestid="xxxxxxxxxxxx" ) OR ( requestid="xxxxxxxxx" ) )

and this will be used in the search.

hope this helps

MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎04-05-2011 10:21 AM

Hi kochera

you could use something like that (I used a different regex for this example!):

index="main" 123.123.123.156 source="/appl/log/www/access.log" [search index="main" source="/appl/log/www/access.log" | rex field=_raw "(?i)^(?:[^-]*-){5}\s+(?P.+)" | fields requestid ]

the sub search will result in a list of:

( ( requestid="xxxxxxxxxxxxxxxxx" ) OR ( requestid="xxxxxxxxxxxx" ) OR ( requestid="xxxxxxxxx" ) )

and this will be used in the search.

hope this helps

MuS

Reply
Solved! Jump to solution

kochera
Communicator
‎04-05-2011 12:51 PM

if I leave the IP away, then I see results but as you mentioned, this doesn't make any sense...

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎04-05-2011 12:36 PM

okay leave the IP completely away in any search; but then I wonder why are you using a sub search anyway?

Reply
Solved! Jump to solution

kochera
Communicator
‎04-05-2011 11:53 AM

yes, that's what I'm trying at the moment

index=main source="/appl/log/www/access.log" [search index=main source="/appl/log/www/access.log" "123.123.123.156" |rex field=raw "\"\s\"(?[A-z,0-9,-.]+)"| fields + sessionid]

But somehow I don't get any results...

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎04-05-2011 11:41 AM

well then just leave the IP away in the main search, then you should see any SessionID of any IP.

Reply
Solved! Jump to solution

kochera
Communicator
‎04-05-2011 11:07 AM

Hi, thanks for your answer. I'm not sure if this gives me the correct result. I would like to check if the same SessionID is used with a different IP-Adress.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...