Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Want to merge two query with different fields in one

nikhilup
New Member
‎01-05-2022 04:17 AM

First query
index = pcf_logs cf_org_name = creorg OR cf_org_name = SvcITDnFAppsOrg cf_app_name=VerifyReviewConsumerService host="*" | eval _raw = msg
| rex "Request\#\:\s*(?<ID1>\d+) with (?<Status>\w+.\w+)"|rex "CRERequestId\"\:\"(?<ID2>[^\"]+)"
| eval ID=coalesce(ID1,ID2)
| stats latest(Status) as Status by ID
| eval Status=trim(Status, "status ")
| stats count by Status

Second query

index = pcf_logs cf_org_name = creorg OR cf_org_name = SvcITDnFAppsOrg cf_app_name=VerifyReviewConsumerService host="*"
| search msg="*Rejected*"
| eval _raw = msg
| rex "(?<CRE_Creation_Date>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}\s..)"
| rex "Request\#\:\s*(?<Rejected_CRE_ID>\d+)"
| rex status(?<Rejected>\s\w+)
| rex (?<Failed_Reason>Rule.*)$
| eval Failed_Reason=trim(Failed_Reason, "Rule ")
| stats count by CRE_Creation_Date Rejected_CRE_ID Rejected Failed_Reason

 

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-05-2022 04:47 AM

Can you give (sanitised) examples of the events you are working with and the aim of the merged query?

0 Karma
Reply

nikhilup
New Member
‎01-05-2022 05:04 AM

 Actually I want to calculate the  friction rate   of all the status which I am getting from query

You can see all below status with queries

Manual Review - Splunk Query
------------------------------------------------------
index = pcf_logs cf_org_name = creorg OR cf_org_name = SvcITDnFAppsOrg cf_app_name=VerifyReviewConsumerService host="*"
| search msg="*Manual Review*"
| eval _raw = msg
| rex "(?<CRE_Creation_Date>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}\s..)"
| rex "Request\#\:\s*(?<Manual_CRE_ID>\d+)"
| rex "with(?<Manual_Review>\s\w+\s\w+)"
| rex "(?<Failed_Reason>Rule.*)$"
| eval Failed_Reason=trim(Failed_Reason, "Rule ")
| stats count by CRE_Creation_Date Manual_CRE_ID Manual_Review Failed_Reason


------------------------------------------------------
status Approved - Splunk Query
------------------------------------------------------
index = pcf_logs cf_org_name = creorg OR cf_org_name = SvcITDnFAppsOrg cf_app_name=VerifyReviewConsumerService host="*"
| search msg = "*status Approved*"
| eval _raw = msg
| rex "INFO\s\|\s(?<CRE_Creation_Date>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}\s..)"
| rex "Request\#\:\s*(?<Approved_CRE_ID>\d+)"
| rex "status(?<Approved>\s........)"
| stats count by CRE_Creation_Date Approved_CRE_ID Approved


------------------------------------------------------
status Rejected - Splunk Query
------------------------------------------------------
index = pcf_logs cf_org_name = creorg OR cf_org_name = SvcITDnFAppsOrg cf_app_name=VerifyReviewConsumerService host="*"
| search msg="*Rejected*"
| eval _raw = msg
| rex "(?<CRE_Creation_Date>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}\s..)"
| rex "Request\#\:\s*(?<Rejected_CRE_ID>\d+)"
| rex status(?<Rejected>\s\w+)
| rex (?<Failed_Reason>Rule.*)$
| eval Failed_Reason=trim(Failed_Reason, "Rule ")
| stats count by CRE_Creation_Date Rejected_CRE_ID Rejected Failed_Reason

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...