Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Joining two queries not giving the desired result

Deprasad
Path Finder
‎07-06-2023 04:06 AM

I have 2 queries and joining it with "Join" using the common field "SessionID".

With  the below query I'm just getting the results if there are results from both the search. If there is no result for either the parent search or the sub search the result is not getting printed.

For example if there is no LogoutTime available from the sub search, the results of parent search is not getting printed and. Is there any way to achieve the desired result.

index = test "testrequest"

| rex "(?:.+email\=)(?<Email>[a-zA-Z0-9_\-\@\.]+)"

| rex "(?:.+trasactionId\=)(?<TransactionID>[a-zA-Z0-9-]+)"

| rex "(?:.+TransactionTime\=)(?<LoginTime>[a-zA-Z0-9\s:]+EDT)"

| rex "(?:.+Status\=)(?<Status>\w+)"

| rex "(?:.+TimeTaken\=)(?<TimeTaken>\d+)"

| rex "(?:.+\+\+)(?<SessionID>[a-zA-Z0-9-_:@.]+)(?:\:Status)"

| table Email,TransactionID,LoginTime,Status,TimeTaken,SessionID

| join SessionID

[search index = test "testrespone"

| rex "(?:.+TransactionTime\=)(?<LogoutTime>[a-zA-Z0-9\s:]+EDT)"

| rex "(?:.+SessionId\=)(?<SessionID>[a-zA-Z0-9-_:@.]+)(?:\:Status)"

| table SessionID,LogoutTime]

| table Email,TransactionID,LoginTime,Status,TimeTaken,SessionID,LogoutTime

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Deprasad
Path Finder
‎07-07-2023 03:34 AM

Still the same format issue, where getting few rows of test request and then testresponse which has the logouttime as the last row.

Interestingly I'm getting the desired result for below query with just adding the Join type as Left. It seems splunk takes Join type as Inner by default which gives results if there is a match between search and subsearch.

index = test "testrequest"
| rex "(?:.+email\=)(?<Email>[a-zA-Z0-9_\-\@\.]+)"
| rex "(?:.+trasactionId\=)(?<TransactionID>[a-zA-Z0-9-]+)"
| rex "(?:.+TransactionTime\=)(?<LoginTime>[a-zA-Z0-9\s:]+EDT)"
| rex "(?:.+Status\=)(?<Status>\w+)"
| rex "(?:.+TimeTaken\=)(?<TimeTaken1>\d+)"
| eval TimeTaken=TimeTaken1/1000
| rex "(?:.+\+\+)(?<SessionID>[a-zA-Z0-9-_:@.]+)(?:\:Status)"
| rex "(?:.+FailureReason\=)(?<FailureReason>[\w\s]+)"
| table Email,TransactionID,LoginTime,Status,TimeTaken,SessionID
| join type=left SessionID
[search index = test "testresponse"
| rex "(?:.+TransactionTime\=)(?<LogoutTime>[a-zA-Z0-9\s:]+EDT)"
| rex "(?:.+SessionId\=)(?<SessionID>[a-zA-Z0-9-_:@.]+)(?:\:Status)"
| table SessionID,LogoutTime ]
| table Email,TransactionID,LoginTime,TimeTaken,SessionID,LogoutTime,Status,FailureReason

 

Thanks for the wonderful conversation and help that led to this excellent learning. 

View solution in original post

Tags (1)
0 Karma
Reply
Solved! Jump to solution

Deprasad
Path Finder
‎07-06-2023 05:53 AM

I'm still not getting the LogoutTime. 
Also please note that the field from first query such as Email, TransactionID, LoginTime will have multiple values. PFA.

Preview file
38 KB
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-06-2023 06:08 AM

Would "joining" by transaction id be a better way of correlating the events?

0 Karma
Reply
Solved! Jump to solution

Deprasad
Path Finder
‎07-06-2023 06:29 AM

The transaction ID is different for both the events, only common filed is "SessionID". there are few other fields which are common in name but has different values. 

The logic is, Single SessionID will have 'n' no of Email,TransactionID,LoginTime but only have one LogoutTime in a different event.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-06-2023 08:18 AM

Try this

index = test "testrequest" OR "testrespone"
| rex "(?:.+email\=)(?<Email>[a-zA-Z0-9_\-\@\.]+)"
| rex "(?:.+trasactionId\=)(?<TransactionID>[a-zA-Z0-9-]+)"
| rex "(?:.+TransactionTime\=)(?<TransactionTime>[a-zA-Z0-9\s:]+EDT)"
| rex "(?:.+Status\=)(?<Status>\w+)"
| rex "(?:.+TimeTaken\=)(?<TimeTaken>\d+)"
| rex "(?:.+\+\+)(?<SessionID>[a-zA-Z0-9-_:@.]+)(?:\:Status)"
| eval LoginTime=if(searchmatch("testrequest"),TransactionTime,null())
| eval LogoutTime=if(searchmatch("testresponse"),TransactionTime,null())
| eventstats values(LogoutTime) as LogoutTime by SessionID
| table Email,TransactionID,LoginTime,Status,TimeTaken,SessionID,LogoutTime

If this is still not working, it would imply that the extract of the transaction time is not working for the testresponse events or that the searchmatch for testresponse is not finding the right events. Either way, in order to be more help, please can you share some anonymised sample events (both testrequest and testresponse) so we can see what might be the issue?

0 Karma
Reply
Solved! Jump to solution

Deprasad
Path Finder
‎07-06-2023 09:33 AM

The Query works but some formatting is needed. 
For the test request I've multiple rows(Ex: multiple loginTime) and Test response will be only one(Ex: single logoutTime).

So the output is coming like first few rows for request and the followed by response as last row.

I need the output like something similar below:

Email | transactionID | logintime | status  | timetaken | sessionID | LogoutTime 
 xxx       xxxxxxxxxxx  02:10:00      xxxxx     xxxxxxxx    xxxxxxxxx    02:45:15    

yyy        yyyyyyyyyyy  02:15:15      yyyyy     yyyyyyyy     xxxxxxxxx   02:45:15

zzz        zzzzzzzzzzz  02:25:15     zzzzz       zzzzzzzz    xxxxxxxxx    02:45:15

Test request event: 
Test request:email=xxxx:trasactionId=xxx-xxx-xxx-xxx-xxx:RequestType=dummy:TimeTaken=16209,TransactionTime=02:10:00:SessionId=xxxxxxx:Status=SUCCESS

Test response event:
Test response:email=yyyyyy:trasactionId=yyyyy-yyyyy-yyyy-yyyy-yyyyy:TimeTaken=381:TransactionTime=02:45:15: SessionId=xxxxxxx:Status=SUCCESS



0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-06-2023 10:05 AM

So, it sounds like you have everything you need apart from removing the testresponse line, so just add the following

index = test "testrequest" OR "testrespone"
| rex "(?:.+email\=)(?<Email>[a-zA-Z0-9_\-\@\.]+)"
| rex "(?:.+trasactionId\=)(?<TransactionID>[a-zA-Z0-9-]+)"
| rex "(?:.+TransactionTime\=)(?<TransactionTime>[a-zA-Z0-9\s:]+EDT)"
| rex "(?:.+Status\=)(?<Status>\w+)"
| rex "(?:.+TimeTaken\=)(?<TimeTaken>\d+)"
| rex "(?:.+\+\+)(?<SessionID>[a-zA-Z0-9-_:@.]+)(?:\:Status)"
| eval LoginTime=if(searchmatch("testrequest"),TransactionTime,null())
| eval LogoutTime=if(searchmatch("testresponse"),TransactionTime,null())
| eventstats values(LogoutTime) as LogoutTime by SessionID
| table Email,TransactionID,LoginTime,Status,TimeTaken,SessionID,LogoutTime
| where searchmatch("testrequest")
Reply
Solved! Jump to solution
Solution

Deprasad
Path Finder
‎07-07-2023 03:34 AM

Still the same format issue, where getting few rows of test request and then testresponse which has the logouttime as the last row.

Interestingly I'm getting the desired result for below query with just adding the Join type as Left. It seems splunk takes Join type as Inner by default which gives results if there is a match between search and subsearch.

index = test "testrequest"
| rex "(?:.+email\=)(?<Email>[a-zA-Z0-9_\-\@\.]+)"
| rex "(?:.+trasactionId\=)(?<TransactionID>[a-zA-Z0-9-]+)"
| rex "(?:.+TransactionTime\=)(?<LoginTime>[a-zA-Z0-9\s:]+EDT)"
| rex "(?:.+Status\=)(?<Status>\w+)"
| rex "(?:.+TimeTaken\=)(?<TimeTaken1>\d+)"
| eval TimeTaken=TimeTaken1/1000
| rex "(?:.+\+\+)(?<SessionID>[a-zA-Z0-9-_:@.]+)(?:\:Status)"
| rex "(?:.+FailureReason\=)(?<FailureReason>[\w\s]+)"
| table Email,TransactionID,LoginTime,Status,TimeTaken,SessionID
| join type=left SessionID
[search index = test "testresponse"
| rex "(?:.+TransactionTime\=)(?<LogoutTime>[a-zA-Z0-9\s:]+EDT)"
| rex "(?:.+SessionId\=)(?<SessionID>[a-zA-Z0-9-_:@.]+)(?:\:Status)"
| table SessionID,LogoutTime ]
| table Email,TransactionID,LoginTime,TimeTaken,SessionID,LogoutTime,Status,FailureReason

 

Thanks for the wonderful conversation and help that led to this excellent learning. 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

Deprasad
Path Finder
‎07-06-2023 09:39 AM

The below query also works but its grouping the email,transactionid,logintime filed together in ascending order w.r.t the session ID causing mismatch between email,transactionid,logintime.

index = test "testrequest"
| rex "(?:.+email\=)(?<Email>[a-zA-Z0-9_\-\@\.]+)"
| rex "(?:.+trasactionId\=)(?<TransactionID>[a-zA-Z0-9-]+)"
| rex "(?:.+TransactionTime\=)(?<LoginTime>[a-zA-Z0-9\s:]+EDT)"
| rex "(?:.+Status\=)(?<Status>\w+)"
| rex "(?:.+TimeTaken\=)(?<TimeTaken1>\d+)"
| rex "(?:.+\+\+)(?<SessionID>[a-zA-Z0-9-_:@.]+)(?:\:Status)"
| table Email,TransactionID,LoginTime,Status,TimeTaken,SessionID
| append
[search index = test  "testresponse"
| rex "(?:.+TransactionTime\=)(?<LogoutTime>[a-zA-Z0-9\s:]+EDT)"
| rex "(?:.+SessionId\=)(?<SessionID>[a-zA-Z0-9-_:@.]+)(?:\:Status)"
| table SessionID,LogoutTime]
| stats values(*) as * by SessionID
| table Email,TransactionID,LoginTime,TimeTaken,SessionID,LogoutTime,Status

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-06-2023 06:07 AM

Is multiple values (for the same session id) what you were expecting?

Do you want multiple events for the same session id?

Perhaps if you could share some of your events (anonymised of course) to give a clearer picture of what you are dealing with?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-06-2023 04:21 AM

Rather than using join (which is usually best avoided), try something like this

index = test "testrequest" OR "testrespone"
| rex "(?:.+email\=)(?<Email>[a-zA-Z0-9_\-\@\.]+)"
| rex "(?:.+trasactionId\=)(?<TransactionID>[a-zA-Z0-9-]+)"
| rex "(?:.+TransactionTime\=)(?<TransactionTime>[a-zA-Z0-9\s:]+EDT)"
| rex "(?:.+Status\=)(?<Status>\w+)"
| rex "(?:.+TimeTaken\=)(?<TimeTaken>\d+)"
| rex "(?:.+\+\+)(?<SessionID>[a-zA-Z0-9-_:@.]+)(?:\:Status)"
| eval LoginTime=if(searchmatch("testrequest"),TransactionTime,null())
| eval LogoutTime=if(searchmatch("testresponse"),TransactionTime,null())
| stats values(Email) as Email values(TransactionID) as TransactionID values(LoginTime) as LoginTime values(Status) as Status values(TimeTaken) as TimeTaken values(LogoutTime) as LogoutTime by SessionID
0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...