We are feeding logs from a messaging middleware into our Splunk installation. Input and output logs for this middleware are respectively being stored with sourcetype flags app_input and app_output , with each app_input / app_output pair containing a common, alphanumeric transactionid contained in square brackets. We're trying to build a single line search that will result in a listing of ALL I/O log pairs for which either the app_input or app_output contains a specified string.
Attempting to solve this, we started with sourcetype=app_* some_search | rex "\[(?<transactionid>[A-Za-z0-9]+)\]\" . Now, we'd like the search to continue using each extracted transactionid .
We've tried queries w. subqueries along the lines of sourcetype=app_* [ search sourcetype=app_* some_search | rex "\[(?<transactionid>[A-Za-z0-9]+)\]" | rename transactionid as query without any apparent luck.
Any assistance would be greatly appreciated.
Thank you in advance,
Harold Falkmeyer
... View more