Activity Feed
- Posted Re: Question regarding search using IN on Splunk Search. 3 weeks ago
- Posted Re: Question regarding search using IN on Splunk Search. 3 weeks ago
- Posted Question regarding search using IN on Splunk Search. 3 weeks ago
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
3 weeks ago
Thank you for your suggestion. Please see my response to Will, I'm trying to figure out how I can use the fields in a subsequent search. Thank you for your time!
... View more
3 weeks ago
Will, thank you for your prompt response. This is my original anonymized query that works so long as the request ids retrieved in the second set is a small number. Since the join failed, I am trying to extract request ids from the first search and feed it to the second search to limit the number of results. Hence my attempt to extract the request id as a variable and pass it to the subsequent search. index="xyz-svc" "blah!" | rex field=_raw "blah! cust_id=(?<cid>\d+)" | stats count as error_count by cid | sort - error_count | head 10 | join type=left cid [ search index="xyz-svc" "blah!" | rex field=_raw "cust_id=(?<cid>\d+)" | rex field=_raw "(?:INFO\s+\[.*\]\s+)?\[(?<request_id>[A-Za-z0-9@\-]+)\]" | stats first(request_id) as request_id by cid | table cid request_id ] | rename request_id as req_id | eval req_id=trim(req_id) | join type=left req_id [ search tag="prod" index="xyz-svc" Parameters (sourceName OR source_name OR vis-svc) | rex field=_raw "(?:INFO\s+\[.*\]\s+)?\[(?<req_id>[A-Za-z0-9@\-]+)\]" | eval req_id=trim(req_id) | eval vis-svc_match=if(match(_raw, "vis-svc"), "vis-svc", null()) | rex field=_raw "sourceName\"=>\"(?<sourceName>[a-zA-Z]+)\"" | rex field=_raw "source_name\"=>\"(?<source_name>[a-zA-Z]+)\"" | eval app_source=coalesce(vis-svc_match, sourceName, source_name) | where isnotnull(app_source) AND len(app_source) > 0 | table req_id app_source ] | table cid app_source req_id error_count When I look at your suggestion, you recommend that I use fields similar to index="xyz-svc" "blah!" | rex field=_raw "blah! cust_id=(?<cid>\d+)" | stats count as error_count by cid | sort - error_count | head 10 | join type=left cid [ search index="xyz-svc" "blah!" | rex field=_raw "cust_id=(?<cid>\d+)" | rex field=_raw "(?:INFO\s+\[.*\]\s+)?\[(?<request_id>[A-Za-z0-9@\-]+)\]" | stats first(request_id) as request_id by cid | table cid request_id ] | rename request_id as req_id | stats list(req_id) as req_id | fields req_id How would I pass this to the second query which needs to filter by search tag="prod" index="xyz-svc" Parameters (sourceName OR source_name OR vis-svc) and extract request ids from these results and ensure that they are in the req_id extracted above. I was trying the IN for this reason with a map and that was failing. Thank you for your time.
... View more
3 weeks ago
Hello: I have a query that extracts a set of 5 request_ids based on certain criteria. I then need to include these request ids in a subsearch using the "IN" operator. I build up the string for the the search using the following: | stats list(request_id) as req_id_list | eval req_id_clause="(".mvjoin(req_id_list, ",").")" I then use it in my query as follows: | search req_id IN $req_id_clause$ However, Splunk interprets the $reg_id_clause$ as a literal string that is "(req_id1, req_id2...)" and I get an error. What are my options to handle this? Thanks!
... View more
Labels
- Labels:
-
subsearch
