Developing for Splunk Enterprise

How to retrieve specific Splunk query response

msg4sunil
Path Finder

Team,

index sourcetype=app_* some_search | rex "\[(?<transactionid>[A-Za-z0-9]+)\]" | rename transactionid as q|table q|format

returns me

( ( q="100223608103" ) OR ( q="D202204021000676" ) )

 

How do I get the below instead?

( ( "100223608103" ) OR ("D202204021000676" ) )

 

Thank you

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| rename transactionid as query

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| rename transactionid as query

msg4sunil
Path Finder

Lovely thank you.  Just now figured out that even the below works

| rename transactionid as search

 

Source: https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Changetheformatofsubsearchresults

The following search looks for a value in the clID field that is associated with a name token or field value. The clID value is then used to search for several sources.

index=myindex [search index=myindex host=myhost MyName | top limit=1 clID | fields clID ]

The subsearch returns the field and value in the format: ( (clID="0050834ja") )

To return only the value, 0050834ja, rename the clID field to search in the subsearch. For example:

index=myindex [search index=myindex host=myhost MyName | top limit=1 clID | fields clID | rename clID as search ]

When the field is named search or query, the field name is dropped and the implicit | format command at the end of the subsearch returns only the value.

If you return multiple values, such as specifying ...| top limit=3, the subsearch returns each of the values with the boolean OR operator between the values. For example, if the previous search example used ...| top limit=3, the values returned from the subsearch are ( ( value1 ) OR ( value2 ) OR ( value3 ) ).

 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

I always forget 'query' keyword

Here's the doco on those keywords

https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/Search/Changetheformatofsubsearchresults

 

bowesmana
SplunkTrust
SplunkTrust

Not exactly what you want, but replace format with

| return 999 $q

 that will give you 

(100223608103) OR (D202204021000676)

 

0 Karma