I am fairly new to Splunk queries.
I have below mentioned logs:
INFO [HTTP-120]: 2017-08-02T18:00:03,157 - transactionID=12345 - "Internal Server Error"
INFO [HTTP-120]: 2017-08-02T18:00:02,110 - transactionID=12345 - "Foo"
INFO [HTTP-120]: 2017-08-02T18:00:01,100 - transactionID=12345 - "Bar"
INFO [HTTP-120]: 2017-08-02T18:00:03,157 - transactionID=45678 - "Success"
INFO [HTTP-120]: 2017-08-02T18:00:02,110 - transactionID=45678 - "Foo"
INFO [HTTP-120]: 2017-08-02T18:00:01,100 - transactionID=45678 - "Bar"
I need to search for events which has "Internal Server Error" then extract the transactionID and do a new search to print all the events which has that transactionID.
So my output should be
INFO [HTTP-120]: 2017-08-02T18:00:03,157 - transactionID=12345 - "Internal Server Error"
INFO [HTTP-120]: 2017-08-02T18:00:02,110 - transactionID=12345 - "Foo"
INFO [HTTP-120]: 2017-08-02T18:00:01,100 - transactionID=12345 - "Bar"
The query should not fail if there are no events. I used subquery to return transactionID for base query, but for 0 events it failed saying Comparator '=' has missing right side value.
Any help is much appreciated.
... View more