Solved: Pass parameters from one search to another

simonattardGO · ‎03-02-2012

Hi all,

We have a system which always logs two lines, Eg:

1) Operation | Status | Time
2) Operation | Type

I want a search which would return all the second lines, where the first line Status is Failed.
Eg. If I have these four logs, I want a search which returns only the 4th line (because the status of the operation is fail)

GET | SUCCESS | 100ms
GET | type1

GET | FAIL | 1000ms
GET | type1

Any ideas on how I can achieve this?

Thanks a lot!

Ayn · ‎03-02-2012

I'd extract the "type1" value as a field and then create a transaction.

... | transaction maxevents=2 startswith="GET | FAIL"

Alternatively if you have some kind of unique identifier that connects the two, using a subsearch is more efficient. Say your log looks more like this:

id592 | GET | FAIL | 1000ms
id592 | type1

Then you could extract the identifier (let's call the field "id") and the type1 value ("type") and do:

type=* [search "GET | FAIL" | fields id]

View solution in original post

Ayn · ‎03-02-2012

I'd extract the "type1" value as a field and then create a transaction.

... | transaction maxevents=2 startswith="GET | FAIL"

Alternatively if you have some kind of unique identifier that connects the two, using a subsearch is more efficient. Say your log looks more like this:

id592 | GET | FAIL | 1000ms
id592 | type1

Then you could extract the identifier (let's call the field "id") and the type1 value ("type") and do:

type=* [search "GET | FAIL" | fields id]

Pass parameters from one search to another

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life