- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Using result of one search in another search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using result of one search in another search
I have two logs:
Log 1:
12/5/13 3:29:14.000 peter is a dog
12/5/13 3:30:14.000 paul is a cat
Log 2:
12/5/13 3:30:14.000 Name:peter
12/5/13 3:29:14.000 Name:mary
I want to extract the field Name from Log2 and search for the Name in Log 1.
For example I want to get the following expected behavior:
Search 1:
source="C:\Users\vinorama.ST-USERS\Work\Splunk\peter_paul\peter2.txt" "peter"
Result: 12/5/13 3:29:14.000 peter is a dog
To do this I constructed the following search with the help of a sub-search that extracts the Name field.
Search 2:
source="C:\Users\vinorama.ST-USERS\Work\Splunk\peter_paul\peter2.txt" [search source="C:\Users\vinorama.ST-USERS\Work\Splunk\peter_paul\mary2.txt"|rex ".Name:(?
Unfortunately my Search 2 does not return the same result as Search 1.
Could you tell me what I am doing wrong here?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With the example data that you share, this might work for you.
source="C:\\Users\\vinorama.ST-USERS\\Work\\Splunk\\peter_paul\\peter2.txt" | rex "(?i)^(?:[^ ]* ){2}(?P<Name>[^ ]+)" | join Name [search source="C:\\Users\\vinorama.ST-USERS\\Work\\Splunk\\peter_paul\\mary2.txt" | rex "Name:(?<Name>[^ ]+)" | table Name]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks this was helpful.
I am not trying something further:
Lets take the case again but change Log 1's data:
Log 1:
12/5/13 3:28:14.000 john is a dog
12/5/13 3:29:14.000 peter is 25
12/5/13 3:30:14.000 peter is a boy
12/5/13 3:30:14.000 paul likes chocolates
12/5/13 3:28:14.000 john likes chocolates
Log 2:
12/5/13 3:30:14.000 Name:peter Age:26
12/5/13 3:29:14.000 Name:mary Age:25
I need the output of my query to allow me to extract the next N lines after 'peter is 25'
For Example:
If I want the next 2 lines after 'peter is 25'
I want to first do a join as mentioned in your solution above and get the line "peter is 25"
Then I want to get the next two lines as well
So the output should be:
peter is 25
peter is a boy
paul likes chocolates
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this.
source="*peter2.txt" | rex "(?i)^(?:[^ ]* ){2}(?P<Name>[^ ]+)"
| eval sno=1 | accum sno | eval joinfield=1
| join max=0 joinfield
[search source="*peter2.txt" | rex "(?i)^(?:[^ ]* ){2}(?P<Name>[^ ]+)"
| eval start=1 | accum start | eval end=start+2 | eval joinfield=1
| join Name [search source="*mary2.txt" | rex "Name:(?<Name>[^ ]+)" | table Name]
| table Name,start,end,joinfield]
| where sno>=start AND sno<=end
You may update the source to your full path.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
just one query, you want to extract next N lines after 'peter is a dog'. But as per your initial requirement, you were filtering records based on Name listed in Mary2.txt. Since, Mary2 has many records, after filtering it may give multiple records, so how you want to handle that? You want next lines for every match?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, this was helpful, please see my question below, I tried something further and am stuck again.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks this was helpful.
I am not trying something further:
Lets take the case again but change Log 1's data:
Log 1:
12/5/13 3:28:14.000 john is a dog
12/5/13 3:29:14.000 peter is a dog
12/5/13 3:30:14.000 paul is a cat
12/5/13 3:30:14.000 paul likes chocolates
12/5/13 3:28:14.000 john likes chocolates
Log 2:
12/5/13 3:30:14.000 Name:peter
12/5/13 3:29:14.000 Name:mary
I need the output of my query to allow me to extract the next N lines after 'peter is a dog'
For Example:
If I want the next 2 lines after 'peter is a dog'
I want to first do a join as mentioned in your solution above and get the line "peter is a dog"
Then I want to get the next two lines as well
So the output should be:
peter is a dog
paul is a cat
paul likes chocolates
I tried the following query but it did not help:
source="C:\Users\vinorama.ST-USERS\Work\Splunk\peter_paul\peter3.txt" |transaction startswith=[search source="C:\Users\vinorama.ST-USERS\Work\Splunk\peter_paul\peter3.txt" | rex "(?i)^(?:[^ ]* ){2}(?P
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
