Splunk Search

Extracting id field from one event and looking for this id in another event

kdulhan
Explorer

Hi All,

I have the below two event logs:
Event1:
ns=app1, id=12,Error='400', Service='CallGetAccount'

Event2:
ns=app1, id=12,', Service='CallGetRetro', Account='12345'

Now I have the below Search query =>

ns=app1 Error='400'
Above gives me the Event 1 where I have an error code of 400.

Kindly let me know how to fetch id from Event 1 and then search Event 2 with that id and if found, add 1 to Output field 1 and if not found, add 1 to Output field 2 and get the count displayed in table format .

Thank you!

0 Karma

woodcock
Esteemed Legend

Like this:

ns=app1 [ns=app1 Error='400'  | table id]
| stats count BY id
| search count>1
| stats count
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Perhaps this will help get you started.

ns=app1 | transaction id startswith=eval(Error='400') | eval OutputField1=if(eventcount==2, 1, 0), OutputField2=if(eventcount==1, 1, 0) | stats sum(OutputField1) as OutputField1 sum(OutputField2) as OutputField2 | table OutputField2 OutputField2
---
If this reply helps you, Karma would be appreciated.
0 Karma

kdulhan
Explorer

Thank you.

Event1:
ns=app1, id=12, [ErrorResponse] Service='CallGetAccount'

Event2:
ns=app1, id=12,', Service='CallGetRetro', Account='12345'

Now I have the below Search query =>

ns=app1 ErrorResponse
Above gives me the Event 1 where I have an error.

Kindly let me know how to fetch id from Event 1 i.e. id=12 and then search Event 2 with that id and if found, add 1 to Output field 1 and if not found, add 1 to Output field 2 and get the count displayed in table format .

Thank you

0 Karma

kdulhan
Explorer

In order to search for the error records, I use :
ns=app1 Service='trigger1' Id!='temp-100' | Search ErrorResponse

Here I get an event like:
timestamp ns=app1 [ErrorResponse] Service='trigger1' id=105 ActNo=1234

Now I have to fetch this ActNo field and search with only ActNo=1234. It will list many events and in those I have to look for a field appId = 'New1'. If New1, I have to add it to a counter1 else counter2.

Thank you!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That is different from your original question. It's difficult to provide an answer when the question changes.

---
If this reply helps you, Karma would be appreciated.
0 Karma

kdulhan
Explorer

My bad. I misread/misunderstood the logs. Kindly provide the guidance for my recent posted query.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this.

ns=app1 appId=* [ns=app1 Service='trigger1' Id!='temp-100' | Search ErrorResponse | return ActNo]
| stats sum(eval(appId=='New1')) as counter1 sum(eval(appId!='New1')) as counter2
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...