Hi @cusello. Using the below search query, I get unique JSESSIONIDs. How would I add your second query string to this query:

index="atg_prod" "MainRefinementMenuHandler exceptionjava.lang.NullPointerException" | rex "JSESSIONID:(?[^.]+)" | dedup JSESSIONID

I'm very new to Splunk so apologies if this seems trivial...

I'm currently using this query to get unique JSESSIONIDs:

index="atg_prod" "MainRefinementMenuHandler exceptionjava.lang.NullPointerException" | rex "JSESSIONID:(?[^.]+)" | dedup JSESSIONID

With your query, I actually do not see any result. Maybe adding this would help?

\[REQUEST_URI:.(?N-[^,]),

I just don't know how to add it or if needs editing as I'm so new to Splunk

i just realized that my subsearch wouldn't work anyways since you don't have JSESSIONID defined in that index. try something like this, maybe

index="atg_prod1a"  | rex "JSESSIONID\:(?<JSESSIONID>[^.]+)"|join JSESSIONID [search index="atg_prod" "MainRefinementMenuHandler exceptionjava.lang.NullPointerException" | rex "JSESSIONID\:(?<JSESSIONID>[^.]+)"|stats count by JSESSIONID |fields - count ] | reverse|streamstats count by JSESSIONID|search count=3|rex "\[REQUEST_URI:.(?<REQUEST_URI>N-[^,]),"|table REQUEST_URI

We're almost there @cmerriman. It seems to be getting a result but it does not display anything. When I remove the 'table REQUEST_URI, I get the result with all details when I only need the 'N-' value. Is there any way we can see only the 'N-' values?

when you remove the |table REQUEST_URI and look over at the list of available fields in verbose mode on the left hand side, is REQUEST_URI in there? If so, is it the N- value you are looking for? if not, it's likely a problem with the rex command. I just noticed there is a difference in the rex i have above and the rex @cusello provided. try this:

 index="atg_prod1a"  | rex "JSESSIONID\:(?<JSESSIONID>[^.]+)"|join JSESSIONID [search index="atg_prod" "MainRefinementMenuHandler exceptionjava.lang.NullPointerException" | rex "JSESSIONID\:(?<JSESSIONID>[^.]+)"|stats count by JSESSIONID |fields - count ] | reverse|streamstats count by JSESSIONID|search count=3|rex "\[REQUEST_URI:.*(?<REQUEST_URI>N-[^,]*),"|table REQUEST_URI

I'm getting results but the rows in the table does not show any value. What could potentially be the reason?
I feel we're really close to achieving our goal. Thank you so much for your help so far!!

when you're in verbose mode, what are the available fields listed on the left hand side? do you have REQUEST_URI? if so, what is the value? any other important fields/values listed? are they accurate? it could be the regex being inaccurate.

In verbose mode, I'm seeing all fields and there's no REQUEST_URI field anywhere, unfortunately. There's JSESSIONID listed among other fields but apart from that field, I can't think of any other field to be equally important displayed.

i think it's a problem with the regex statement for REQUEST_URI. in the events tab, are you getting the correct events back before the table statement? I'm not sure why that regex wouldn't work. perhaps try something like this:

|rex "REQUEST_URI:.(?N-.), METHOD"

regex101.com is a great tool to tweak regex statements. you might have to just tweak it until you get that field extracted.

Good news @cmerriman! We're almost there! I did a few tiny tweaks in your query and I'm getting a list with the N- values in the table. Majority of the rows are still coming blank but I can see a few 'N-' values. This is the query I used:

index="atg_prod1a" | rex "JSESSIONID:(?[^.]+)" | join JSESSIONID [search index="atg_prod" "MainRefinementMenuHandler exceptionjava.lang.NullPointerException" | rex "JSESSIONID:(?[^.]+)"|dedup JSESSIONID] | reverse | streamstats count by JSESSIONID | rex "[REQUEST_URI:.*(?N-[^,]+),"|table REQUEST_URI

Now, I have 2 questions:
1. How do I get actual values in the table instead of some blank values?
2. How do I make sure that all the N- values in the list are the bad values I'm looking for and not a mix of bad and good?

In your example it was the third result. Is it always the third ? What qualifies it as bad?

To remove null values, add |search REQUEST_URI=*

@cmerriman That query removes the null values. Thanks you!

So regarding the N- values. There are good and bad N- values. Good N- values are those where if put inside a url, gives an actual webpage while a bad N- value gives a 'Page not Found' page which is what I'm looking for. Now, when I used to do this query index="prod" "JSESSIONID" | reverse', I would get multiple values with that JSESSIONID. However, whenever I would get a massive event (like in result 3), the event right after that one (result 4 in our case) has an N- value which gives the exact N- value I'm looking for as those values are always bad values. So is there a way to get that N- value from an event right after the big event? And no, it does not necessarily have to be the third result. It can be in any order but the bad N- value come in an event which is right after the big event like you see in my example. Hope my explanation was clear enough? I feel we're maybe only one step away from the needed result. Thank you again for all your help so far!!

how about adding something like

...| reverse|streamstats count by JSESSIONID|eval length=len(_raw)|streamstats window=1 current=f values(length) as previousLength by JSESSIONID|eval lengthDiff=prevLength-length

this would give you the number of characters in the _raw event and then the number of characters in the previous event, you might be able to search where the difference of lengths between events is so much?

This does not give me the table like in the previous query and even when I put the table tag, don't get my result.

Is there a way to skip to the next event if we have a big event? Let's say we have an event with more than 5 lines (most events have 5 lines or under) and when we have that event (big event) we skip to the next line and fetch the N- value from there and once we've got that value, we scan again for the next big event and repeat the same way. I think that way, we can get all the required N- values. Hope it makes sense and that there's a way to do it!

Yup! This gets me the JSESSIONID. Thanks @cmerriman!