How to extract a string from a field to use in ano...

skiller1234 · ‎08-05-2016

So I am new to Splunk, but cannot seem to find the answer to this likely simple search question. So I need to search for a string, then use that value in a second search. Assuming this will just be a subsearch.

For Example:

I can use this search to pull the piece of information I need - but it labels it as a field called callID. We have not set up callID as a field yet it seems, and I don't want to rock the boat on that just yet, so I think I just need it as a string to use in the next search. Would I look for that "callID" part using regex?

index=sip-ra ani 18005551111 17775559999 ConfJoinNote | rex field=_raw "\(?<callID>.*)\<\/callLegSessionID\>"

that would return this as callID:

204.466.sip_reservationless_conference.102@64.214.111.111

Then my next search would have the above as a subsearch like so:

index=sip-ra [subsearch to get the callID string] "audio" "digits"

I just can't figure out how to get it to use that 204.466*** as part of that next search?

thank you!

skiller

sundareshr · ‎08-05-2016

Try this

index=sip-ra [ search index=sip-ra ani 18005551111 17775559999 ConfJoinNotify | rex field=_raw "(?<callID>.*)\<\/callLegSessionID\>"  | table callID | rename callID as search] "audio" digits"

skiller1234 · ‎08-05-2016

Apologies - the first search is incomplete:

index=sip-ra ani 18005551111 17775559999 ConfJoinNotify | rex field=_raw "(?.*)<\/callLegSessionID>"

How to extract a string from a field to use in another search?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...