Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Want to merge two query with different fields in one

nikhilup
New Member
‎01-05-2022 04:17 AM

First query
index = pcf_logs cf_org_name = creorg OR cf_org_name = SvcITDnFAppsOrg cf_app_name=VerifyReviewConsumerService host="*" | eval _raw = msg
| rex "Request\#\:\s*(?<ID1>\d+) with (?<Status>\w+.\w+)"|rex "CRERequestId\"\:\"(?<ID2>[^\"]+)"
| eval ID=coalesce(ID1,ID2)
| stats latest(Status) as Status by ID
| eval Status=trim(Status, "status ")
| stats count by Status

Second query

index = pcf_logs cf_org_name = creorg OR cf_org_name = SvcITDnFAppsOrg cf_app_name=VerifyReviewConsumerService host="*"
| search msg="*Rejected*"
| eval _raw = msg
| rex "(?<CRE_Creation_Date>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}\s..)"
| rex "Request\#\:\s*(?<Rejected_CRE_ID>\d+)"
| rex status(?<Rejected>\s\w+)
| rex (?<Failed_Reason>Rule.*)$
| eval Failed_Reason=trim(Failed_Reason, "Rule ")
| stats count by CRE_Creation_Date Rejected_CRE_ID Rejected Failed_Reason

 

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-05-2022 04:47 AM

Can you give (sanitised) examples of the events you are working with and the aim of the merged query?

0 Karma
Reply

nikhilup
New Member
‎01-05-2022 05:04 AM

 Actually I want to calculate the  friction rate   of all the status which I am getting from query

You can see all below status with queries

Manual Review - Splunk Query
------------------------------------------------------
index = pcf_logs cf_org_name = creorg OR cf_org_name = SvcITDnFAppsOrg cf_app_name=VerifyReviewConsumerService host="*"
| search msg="*Manual Review*"
| eval _raw = msg
| rex "(?<CRE_Creation_Date>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}\s..)"
| rex "Request\#\:\s*(?<Manual_CRE_ID>\d+)"
| rex "with(?<Manual_Review>\s\w+\s\w+)"
| rex "(?<Failed_Reason>Rule.*)$"
| eval Failed_Reason=trim(Failed_Reason, "Rule ")
| stats count by CRE_Creation_Date Manual_CRE_ID Manual_Review Failed_Reason


------------------------------------------------------
status Approved - Splunk Query
------------------------------------------------------
index = pcf_logs cf_org_name = creorg OR cf_org_name = SvcITDnFAppsOrg cf_app_name=VerifyReviewConsumerService host="*"
| search msg = "*status Approved*"
| eval _raw = msg
| rex "INFO\s\|\s(?<CRE_Creation_Date>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}\s..)"
| rex "Request\#\:\s*(?<Approved_CRE_ID>\d+)"
| rex "status(?<Approved>\s........)"
| stats count by CRE_Creation_Date Approved_CRE_ID Approved


------------------------------------------------------
status Rejected - Splunk Query
------------------------------------------------------
index = pcf_logs cf_org_name = creorg OR cf_org_name = SvcITDnFAppsOrg cf_app_name=VerifyReviewConsumerService host="*"
| search msg="*Rejected*"
| eval _raw = msg
| rex "(?<CRE_Creation_Date>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}\s..)"
| rex "Request\#\:\s*(?<Rejected_CRE_ID>\d+)"
| rex status(?<Rejected>\s\w+)
| rex (?<Failed_Reason>Rule.*)$
| eval Failed_Reason=trim(Failed_Reason, "Rule ")
| stats count by CRE_Creation_Date Rejected_CRE_ID Rejected Failed_Reason

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...