Hello,
I'm trying to extract a customer number by having two searches pull web service calls and compare one field with the same values, then get the customer number from the subsearch. The reason for doing this with two web calls is because one is vital for determining if a user was created, but it does not contain the customer number, the second call carries the number.
Here's an example:
addCustomer call:
customer: {"Number":"","FirstName":"Foo","LastName":"Bar","phoneNumber":"1234567890"}
secondCall:
customer: {"Number":"12345676","FirstName":"Foo","LastName":"Bar","phoneNumber":"1234567890"}
I wanted to compare a field that is unique to this user, like the phone number or email (sometimes there isn't an email) and if they are matched, I wanted to get the Number in the second call (which is the subsearch).
Here's what I have to get both web calls for all users within a set time frame:
"addCustomer"
| rex field=_raw "\"phoneNumber\":\"(?<phoneNum>[^\"]+)"
| append [search "secondCall:" | rex field=_raw "\"Number\":\"(?<CustomerNumber>^\"]+)" | rex field=_raw "\"phoneNumber\":\"(?<phoneNum>[^\"]+)" ]
I'm relatively new to Splunk, so any help would be appreciated!
... View more