When I get a certain string in one search result, ...

splunk0 · ‎09-08-2015

Hi,

Best way for me to explain is by example.

example search:

host=*guac* sourcetype="syslog" | rex field=_raw "guacd\[(?<guacd>\d+)\]" | rex field=_raw "connected-listener: id=\"(?<connection_id>.+)\" email=" | search  "5b629c6f-4b1a-410a-9382-53d694c23972" OR guacd=10734

I added the last search filter just for clarity to get a small result set.

Example result set:

Whenever I get a string like "Error writing data to socket", I want to append the email to that result which can be found if correlated with the guacd field and then with the connection_id field

Not sure how to do it.

Any idea?

somesoni2 · ‎09-08-2015

Try something like this

   host=*guac* sourcetype="syslog" | rex field=_raw "guacd\[(?<guacd>\d+)\]" | rex field=_raw "Connection ID is \"(?<connection_id>.+)\"" | eventstats values(connection_id) as connection_id by guacd| rex field=_raw "connected-listener: id=\"(?<connection_id2>.+)\" email=(?<email>.+)"  | eval connection_id=colesce(connection_id2,connection_id) | search  connection_id="5b629c6f-4b1a-410a-9382-53d694c23972" guacd=10734  | eventstats values(email) as email by guacd connection_id| table _time _raw guacd connection_id email

splunk0 · ‎09-08-2015

small fix for the example query (same result set):
host=guac sourcetype="syslog" | rex field=_raw "guacd[(?\d+)]" | rex field=_raw "connected-listener: id=\"(?.+)\" email=" | rex field=_raw "Connection ID is \"(?.+)\"" | search "5b629c6f-4b1a-410a-9382-53d694c23972" OR guacd=10734 | table _time _raw guacd connection_id

When I get a certain string in one search result, how do I append a field from another event that can be found through correlation of 2 other fields?

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform