Solved: How do I feed an array of strings from the results...

ravishankarr · ‎07-24-2013

I have setup a field extraction that parses OC4J Apache logs of the following format and extracts the ecid:

index="app" host="somehost*" sourcetype="access_log-too_small" AND req_status=500 AND req_srvc_time>1

which returns:

10.1.2.3 - - [24/Jul/2013:09:36:44 -0700] [ecid: 1374676196:192.168.1.2:3229:0:12737,0] "GET /app-context/some.action HTTP/1.1" 500 659 [7201 (secs)]

The extracted ecid's would then be:
1374676196:192.168.1.2:3229:0:12737

I want to pass the ecids (there would be more than one) to another search that looks across all logs (application logs, frontend host logs, etc) and returns all entries it finds. I do this manually by performing the following search:

index="app" "1374676196:192.168.1.2:3229:0:12737*"

to get:

2013-07-24 07:29:58,584 INFO UserTimingInterceptor.logBeforeMessage - Start action [//some!doSomething()?id=XyZ1312&sn=123456] by [user1] ECID [1374676196:192.168.1.2:3229:0:12737,2]
2013-07-24 07:29:58,584 INFO UserTimingInterceptor.logBeforeMessage - Start action [//some!doSomething()?id=XbZ1312&sn=123456] by [user1] ECID [1374676196:192.168.1.2:3229:0:12737,2]
[Wed Jul 24 09:29:58 2013] [error] [client 10.1.2.3] [ecid: 1374676196:192.168.1.2:3229:0:12737,0] mod_oc4j: request to OC4J locosprod0005:12501 failed: recv failed (errno=4)
10.1.2.3 - - [24/Jul/2013:09:29:58 -0700] [ecid: 1374676196:192.168.1.2:3229:0:12737,0] "GET /app-context/some.action?id=PTHG141277&sn=655164 HTTP/1.1" 500 659 [7202 (secs)]

The example I gave above uses one (1) ECID. The query would ideally be to lookup all ECIDs returned by the first query and return corresponding entries from other logs.Is there a way to combine these two queries? Thanks in advance!

ravishankarr · ‎07-26-2013

lguinn's answer took me to the right query! Here it is:

index="app" [ search index="app"
host="somehost*" sourcetype="access_log-too_small" AND req_status=500
AND req_srvc_time>1 | rename ecid as query | fields query]

View solution in original post

ravishankarr · ‎07-26-2013

lguinn's answer took me to the right query! Here it is:

index="app" [ search index="app"
host="somehost*" sourcetype="access_log-too_small" AND req_status=500
AND req_srvc_time>1 | rename ecid as query | fields query]

lguinn2 · ‎07-24-2013

index="app" [ search index="app" host="somehost*" sourcetype="access_log-too_small" AND req_status=500 AND req_srvc_time>1 | table ecid ]

will work if you have less than 100 ecids.

lguinn2 · ‎07-26-2013

index="app" [ search index="app" host="somehost*" req_status=500 sourcetype="access_log-too_small" AND AND req_srvc_time>1 | rename ecid as search ]

may be closer to what you need; it will return results from other logs. Still only works with less that 100 ecids.

ravishankarr · ‎07-24-2013

Thanks, but that only returns results from access_log-too_small sourcetype. This may be due to the fact that I have defined ecid in the field extractions of that source type and not others. The other source types (log4j, access_combined, etc) don't have a field named ecid defined.

I was trying to avoid that and do a free form search on _raw as each application (sourcetype is log4j) append ecid in a different location. I am working with the developers to come up with a unified format that I can then create a field extraction for.

How do I feed an array of strings from the results of a search to another search

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life