cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
alok
Loves-to-Learn Everything
Member since: ‎11-16-2020
‎11-17-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎11-16-2020
View All

Re: How rex field list values assign dynamically t...

by in Splunk Search
‎11-16-2020 05:39 PM
‎11-16-2020 05:39 PM
I ran the suggested query getting a error message  Error in 'map': Did not find value for required attribute 'rec_prod_step_function'. Please suggest. As debug I break the query when I ran    index="os" (source="/var/log/steps/*/controller") sourcetype="too_small" (host="ip-101-108-*-*" OR host="ip-101-108-*-*") | transaction source startswith=("/code/ttt_env.sh" OR "/code/ttt_gen.sh") endswith="startRun() called" | rex field=_raw "(?<rec_prod_step_function>\bs-[a-zA-Z0-9_]+)" | where rec_prod_step_function="*"   It is not returning any event. but when I used "where" to "search"   index="os" (source="/var/log/steps/*/controller") sourcetype="too_small" (host="ip-101-108-*-*" OR host="ip-101-108-*-*") | transaction source startswith=("/code/ttt_env.sh" OR "/code/ttt_gen.sh") endswith="startRun() called" | rex field=_raw "(?<rec_prod_step_function>\bs-[a-zA-Z0-9_]+)" | search rec_prod_step_function="*"   Query returns two events that is correct. Please suggest. Thanks !! ... View more

How rex field list values assign dynamically to so...

by in Splunk Search
‎11-16-2020 02:41 PM
‎11-16-2020 02:41 PM
Hello, Query one returns a result with one fields as list of values. I want to  pass those list of value as the search source path and result returns for second query. Given below is the detail. Please suggest how to achieve ?  Query1 :  index="os" (source="/var/log/steps/*/controller")  sourcetype="too_small" (host="ip-101-108-*-*" OR host="ip-101-109-*-*") | transaction source startswith=("/code/ttt_env.sh" OR "/code/ttt_gen.sh" ) endswith="startRun() called" | rex field=_raw "(?<step_function>\bs-[a-zA-Z0-9_]+)" It does return the output and value of  Query1 Output :  step_function values listed as  in field like : s-BBBUL8NJBYE45, s-AAAUL8NJBYEI3 Now these value I want to generate the further query using step_function values like ( Hard coded by hand it worked) append [search index="os" source=("/var/log/steps/s-BBBUL8NJBYE45/stdout" OR /var/log/steps/s-s-AAAUL8NJBYEI3/stdout")  sourcetype="too_small" (host="ip-101-108-*-*"" OR host="ip-101-108-*-*"*")] How to perform dynamically and achieve this functionality without hardcoding.  Tried like this but didn't work  index="os" (source="/var/log/steps/*/controller") sourcetype="too_small" (host="ip-101-108-*-*" OR host="ip-101-108-*-*") | transaction source startswith=("/code/ttt_env.sh" OR "/code/ttt_gen.sh") endswith="startRun() called" | rex field=_raw "(?<rec_prod_step_function>\bs-[a-zA-Z0-9_]+)" | search rec_prod_step_function="*" | append [search index="os" source="/var/log/steps/$rec_prod_step_function$/stdout" sourcetype="too_small" (host="ip-101-108-*-*" OR host="ip-101-108-*-*")] Note : "/var/log/steps/$rec_prod_step_function$/stdout" Thanks in advance. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎11-17-2020 12:56 PM