Hi I need some help with the join command. I have 2 events as below - 1st Event -   2020-09-03 12:50:01,811|catalina-exec-173|INFO|LoggingService|RESPONSE status=404 api=[/checkout/details]" error="detail_not_found"   2nd Event -   2020-09-03 12:54:50,915|catalina-exec-137|INFO|OrderService|Order placed successfully    Both events have a common field uniqueID. Now what I want is extract the uniqueID's for a scenario where the 1st event occurred but the 2nd event didn't.  Means number of users got the error and didn't proceed to place the order. I have the below query using which I was able to join the 2 events but what i want is opposite. Can someone advice.   index=my_test host="server-1" "OrderService|Order placed successfully" | join uniqueId max=0 [ search index=my_test host="server-1" status=[404] "api=[/checkout/details]" error="detail_not_found" | dedup uniqueId]   ... View more

Hi, I am stuck at a query problem. So what i need to do is join some events and get the result and for that I am using stats. I can't use join because of the sub-search limitation. Below is my query. The common field in the events is id which i am extracting but what I want to do is produce a table based on clientId (like below) but the current query does not give what i require. clientId SuccessCount FailedAttemptCount client1 100 50 client2 250 70 client3 5500 450   The problem is my one event contains clientId (sourcetype=splunk_audit_log event=AUTHN_ATTEMPT clientId=* status=inprogress) and another event contain whether that client was successful during login attempt (source="server.log" "In processCredentials" ) The query which i created is -     index=test (sourcetype=splunk_log event=AUTHN_ATTEMPT clientId=* status=inprogress) OR (source="server.log" "In processPasswordCredential" NOT "not found!") | rex field=_raw "user\=\[\d+\] (?<raw_status>.*)" | rex field=_raw "sessionid\=\"id\:(?<id>[^\"]+)" | eval status_new=case(raw_status="found and success","Success", raw_status="found but failed","Fail") | stats list(status_new) as aa_status by id | eval NumberOfSuccess=mvfilter(match(aa_status, "Success")) | eval NumberOfFail=mvfilter(match(aa_status, "Fail")) | eval SuccessCount = mvcount(NumberOfSuccess) | eval FailedAttemptCount = mvcount(NumberOfFail) | fields - NumberOfSuccess NumberOfFail count aa_status       let me know if someone can help please. Appreciate your support. ... View more

Hi, I am trying to use transaction command where I need to get the data from 2 specific events with different sourcetypes. These 2 events are      2020-07-09 12:50:09,918 id="id:1234" event=test_attempt app= connid=myapp status=inprogress responsetime=7 inmessagetype="Request" 2020-07-09 12:50:09,105 id:1234 INFO [org.test.validator.MediaValidator] in MediaValidator VERIFIED user=test@gmail.com found and match     The 1st event could occur multiple times in the same transaction and that's why sometimes my transaction command is just grouping those 2 events and that's it. The common attribute in both of these events are id on which I am using transaction like below but it doesn't seem to be working. Sometimes I am only getting single event and sometimes the 1st event is grouped together  Can someone advice what could be done here to achieve this task. I can't use join because of the subsearch limitation and I have to use the transaction.     index=myindex (sourcetype="server_log" "[org.test.validator.MediaValidator] in MediaValidator) OR (source="/app/log/splunk-audit.log" event=test_attempt inmessagetype="Request" sourcetype=audit_log) | rex field=_raw "id\=\"id\:(?<id>[^\"]+)" | rex field=_raw "id\:(?<id>[^\s]+)" | transaction id keepevicted=true      @gcusello @to4kawa  ... View more

Hi, I am trying to join 2 searches with produce some results but I am getting this error which says -  "subsearch produced 50000 results truncating to 50000". I can't change the limits.conf so is there any other way to get the stats without using join.  This is my search -   index=test_index ip="83.136.24.154" sourcetype=audit_log event=Attempt NOT messagetype=Request NOT status=failure | rex field=idDetails "id\:(?<id>.*)" | eval successful_login=if(status == "success", "Yes", "No") | rename subject AS username | join type=left id username [ search index=test_index sourcetype=server_log "validator.Credential" | rex field=_raw "id\:(?<id>[^\s]+)" | rex field=_raw "mytemp\s(?<message>.*)$" | rex field=_raw "user\s\[?(?<username>[^\]]+)" | fields id,message,username] | table _time,username,successful_login,message   Let me know if someone can advice.  ... View more

Hi, I have a lookup which contains one column (name - vanity_url) and around 800 rows. Something like this - vanity_url /checkout /your-details /billing   My Splunk logs has the event related to these rows in a field called requested_content. Some of them are present in the logs and some are not. I want to print the matched and non matched values from the lookup in a table. Something like this - requested_content present /checkout yes /your-details yes /billing yes /direct-debit no   I have tried something like this but it doesn't seem to be working.     index=myapp_pp sourcetype=access_combined GET host="my-server-*" | eval type="MainIndex" | fields requested_content type | appendpipe [| inputlookup vanity.csv | eval type="lookup" | rename vanity_url as requested_content | fields type requested_content ] | stats dc(type) as pot, values(*) AS * by requested_content | where pot=1 and type="lookup"     @to4kawa  ... View more

Hi, I have a query where I need to join it by a lookup to match the records. This is horribly slow and could be because of join command as it is very expensive.  Is there a way to optimize this search as I have to run this for last 90 days and it keeps running for ages. My lookup only consist of one column i.e. URL against which I need to match the records and then count them Let me know if someone can advice     index=myapp_pp sourcetype=access_combined GET host="my-server-*" | join requested_conten [| inputlookup vanity.csv | rename url as requested_content] | stats count by requested_content | sort - count     ... View more