Splunk Search

Match by rex field in subsearch

infcl
Explorer

I have one log like:
log1 tid=,"tid":"abcd";

And another log like:
log2 userid=11 tid=abcd

I want to get the count of results where rexed tid in log1 matches tid in log2, deduped by userid.

I tried:
log2 [search log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | eval tid1=tid | dedup userid] | stats count

However it returned 0. though there should be more.

0 Karma

woodcock
Esteemed Legend

Like this:

index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo" AND ("log1" OR "log2")
| rex "tid=,\"tid\":\"(?<tid>.*)\";"
| eval which=if(searchmatch("log1"), "log1", "log2")
| dedup userid which
| stats dc(which) AS which_count BY tid
| where which_count==2
0 Karma

to4kawa
Ultra Champion

e.g.

| makeresults 
| eval _raw="userid=11 tid=abcd"
| appendpipe 
    [eval _raw="userid=12 tid=abce"]
| kv
| search
    [| makeresults 
    | eval _raw="tid=,\"tid\":\"abcd\";" 
    | rex field=_raw "\"tid\":\"(?<tid1>.*)\";" 
    | rename tid1 as query]

Recommend:

log2 
| kv
| search [ search log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | rename tid1 as query] 
| stats count by userid

Hi, @infcl
maybe, log1 does not have userid. so, dedup userid can't works and result is "0"
I don't know the fields extracted, I use kv
if log2 has the field userid , kv is not needed

0 Karma

infcl
Explorer

Unfortunately it didn't work.

log2 always has userid.

Even

   log2   
   | search [ search log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | rename tid1 as query]

did not return any results.

When I search log2 and log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | fields tid1 individually, they return results, so those portions are correct.

0 Karma

to4kawa
Ultra Champion
log2 "tid1 value"

return results?

my search is same logic search.

I think you say
search log2⇨ returen results
search log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | fields tid1⇨ returen results
OK?

0 Karma

infcl
Explorer

Yes that's what I mean, the individual searches are correct. But the matching is not.

0 Karma

to4kawa
Ultra Champion

If log2 tid field is extracted,

log2 [search log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | fields tid1 |rename tid1 as tid]

This query should return results.
if is returns "0" , there really is no result.

0 Karma

jscraig2006
Communicator

i don't know if this will make a difference, but your regex is missing escapes on your some of your characters. Try | rex "tid\"\:\"(?<tid1>[^\"]+)"

0 Karma

infcl
Explorer

@jscraig2006 that shouldn't be a problem, because log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | fields tid1 does return results.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...