Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Extracting id field from one event and looking for this id in another event

kdulhan
Explorer
‎08-31-2017 06:35 AM

Hi All,

I have the below two event logs:
Event1:
ns=app1, id=12,Error='400', Service='CallGetAccount'

Event2:
ns=app1, id=12,', Service='CallGetRetro', Account='12345'

Now I have the below Search query =>

ns=app1 Error='400'
Above gives me the Event 1 where I have an error code of 400.

Kindly let me know how to fetch id from Event 1 and then search Event 2 with that id and if found, add 1 to Output field 1 and if not found, add 1 to Output field 2 and get the count displayed in table format .

Thank you!

0 Karma
Reply

woodcock
Esteemed Legend
‎09-02-2017 11:27 PM

Like this:

ns=app1 [ns=app1 Error='400'  | table id]
| stats count BY id
| search count>1
| stats count
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-31-2017 08:47 AM

Perhaps this will help get you started.

ns=app1 | transaction id startswith=eval(Error='400') | eval OutputField1=if(eventcount==2, 1, 0), OutputField2=if(eventcount==1, 1, 0) | stats sum(OutputField1) as OutputField1 sum(OutputField2) as OutputField2 | table OutputField2 OutputField2
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

kdulhan
Explorer
‎08-31-2017 09:13 AM

Thank you.

Event1:
ns=app1, id=12, [ErrorResponse] Service='CallGetAccount'

Event2:
ns=app1, id=12,', Service='CallGetRetro', Account='12345'

Now I have the below Search query =>

ns=app1 ErrorResponse
Above gives me the Event 1 where I have an error.

Kindly let me know how to fetch id from Event 1 i.e. id=12 and then search Event 2 with that id and if found, add 1 to Output field 1 and if not found, add 1 to Output field 2 and get the count displayed in table format .

Thank you

0 Karma
Reply

kdulhan
Explorer
‎09-01-2017 03:26 AM

In order to search for the error records, I use :
ns=app1 Service='trigger1' Id!='temp-100' | Search ErrorResponse

Here I get an event like:
timestamp ns=app1 [ErrorResponse] Service='trigger1' id=105 ActNo=1234

Now I have to fetch this ActNo field and search with only ActNo=1234. It will list many events and in those I have to look for a field appId = 'New1'. If New1, I have to add it to a counter1 else counter2.

Thank you!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-01-2017 06:12 AM

That is different from your original question. It's difficult to provide an answer when the question changes.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

kdulhan
Explorer
‎09-01-2017 06:18 AM

My bad. I misread/misunderstood the logs. Kindly provide the guidance for my recent posted query.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-06-2017 05:56 AM

Try this.

ns=app1 appId=* [ns=app1 Service='trigger1' Id!='temp-100' | Search ErrorResponse | return ActNo]
| stats sum(eval(appId=='New1')) as counter1 sum(eval(appId!='New1')) as counter2
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...