Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using Results from Subquery

hfalkmeyer
New Member
‎06-08-2017 12:43 AM

We are feeding logs from a messaging middleware into our Splunk installation. Input and output logs for this middleware are respectively being stored with sourcetype flags app_input and app_output, with each app_input/app_output pair containing a common, alphanumeric transactionid contained in square brackets. We're trying to build a single line search that will result in a listing of ALL I/O log pairs for which either the app_input or app_output contains a specified string.

Attempting to solve this, we started with sourcetype=app_* some_search | rex "\[(?<transactionid>[A-Za-z0-9]+)\]\". Now, we'd like the search to continue using each extracted transactionid.

We've tried queries w. subqueries along the lines of sourcetype=app_* [ search sourcetype=app_* some_search | rex "\[(?<transactionid>[A-Za-z0-9]+)\]" | rename transactionid as query and others without luck.

Any assistance would be greatly appreciated.

Thank you in advance,

Harold Falkmeyer

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎06-08-2017 07:20 AM

for this subsearch, try something like this:

sourcetype=app_* [ search sourcetype=app_* some_search | rex "\[(?<transactionid>[A-Za-z0-9]+)\]" | rename transactionid as query|table query|format]

as long as query is in your sourcetype=app_*. your subsearch needs to end with a field name that is in the base search.

View solution in original post

Reply
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎06-08-2017 07:20 AM

for this subsearch, try something like this:

sourcetype=app_* [ search sourcetype=app_* some_search | rex "\[(?<transactionid>[A-Za-z0-9]+)\]" | rename transactionid as query|table query|format]

as long as query is in your sourcetype=app_*. your subsearch needs to end with a field name that is in the base search.

Reply
Solved! Jump to solution

hfalkmeyer
New Member
‎06-08-2017 09:57 PM

Worked like a charm. The missing component from my attempts was the table query. Thank you VERY much!!

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...