I have multiple events that are related by a similar sessionID. One event contains an employerCode, which is what I would want the input on the dashboard to be. I have hardcoded that to 00000 for now. I am looking to have by subsearch look for all logs associated with that employerCode, and pull out all SessionID's. When I run this subsearch by itself, it works fine.
sourcetype="ta" index="p_r" "employer code [00000]" | rex field=_raw "SessionID:\[(?.*)\];" | dedup sid | table sid
Results:
sid
S1
S2
S3
etc.
However, I am now wanting to find all logs that contain those SessionID's and the phrase "ReasonCode". I have attempted to use the following query, but am not getting any results:
sourcetype="ta" index="p_r" "ReasonCode" [search sourcetype="ta" index="p_r" "employer code [00000]" | rex field=_raw "SessionID:\[(?.*)\];" | dedup sid | table sid]
However, if I were to try the following query by hardcoding the sessionID, I get what I am looking for:
sourcetype="ta" index="p_r" "ReasonCode" "S1"
It would be very appreciated if somebody could help me resolve my issue and point out my mistake.
Hi DanielWick,
I think the rex syntax in your search is incorrect.
rex field=_raw "SessionID:[(?.*)];"
If you want to extract session id from your raw events and assign the values to a field you should supply in the regex capture group. For example, if your new field is sid, use the following search:
sourcetype="ta" index="p_r" "employer code [00000]" | rex field=_raw "SessionID:\[(?<sid>.*)\];" | dedup sid | table sid
For details about the rex command, please refer to:
http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Rex
In your search below, you simply retrieved all the events with "S1" in the raw data, not with field sid="S1".
sourcetype="ta" index="p_r" "ReasonCode" "S1"
Also, please note that subsearch is not without its limitations. Subsearches are limited by both time and event count:
• Default time limit = 60 seconds
– If the subsearch continues to run after this time, it is finalized
–Only the events found during that time are returned to the outer
search
• Default results limit = 10,000
– After 10,499 entries, the results are truncated (partial result set)
Hope this helps.Thanks!
Hunter