1

I am able to get the multiple events (api's logs) in splunk dashboard like below

event-1:

{ "corrId":"12345", "traceId":"srh-1", "apiName":"api1" }

event-2:

{ "corrId":"69863", "traceId":"srh-2", "apiName":"api2" }

event-3:

{ "corrId":"12345", "traceId":"srh-3", "apiName":"api3" }

I want to retrieve corrId (ex:- "corrId":"12345") dynamically from one event (api log)by providing apiName and build splunk search query based on retrieved corrId value that means it will pull all the event logs which contains same corrId ("corrId":"12345").

Output

In above scenario expected results would be like below

event-1:

{ "corrId":"12345", "traceId":"srh-1", "apiName":"api1" }

event-3:

{ "corrId":"12345", "traceId":"srh-3", "apiName":"api3" }

I am new to splunk, please help me out here, how to fetch "corrId":"12345" dynamically by providing other field like apiName and build Splunk search query based on that.

I have tried out like below, but to no luck.

index = "test_srh source=policy.log [ search index = "test_srh source=policy.log | rex field=_raw "apiName":|s+"(?[^"]+)" | search name="api1" | table corrId]

This query gives event-1 log only but we need all other events which contain same corrId ("corrId":"12345"). Appreciate quick help here.

Daniel
  • 624
  • 6
  • 21
Nanireddy Thadi
  • 11
  • 3

1 Answers1

0

Given you're explicitly extracting the apiName field, I'll assume the corrId field is not automatically extracted, either. That means putting corrId="12345" in the base query won't work. Try index=test_srh source=policy.log corrId="12345" to verify that.

If the corrId field needs to be extracted then try this query.

index=test_srh source=policy.log 
| rex "corrId\\":\\"(?<corrId>[^\\"]+)"
| where [ search index = "test_srh source=policy.log 
  | rex "apiName\":\"(?<name>[^\"]+)" 
  | search name="api1" 
  | rex "corrId\\":\\"(?<corrId>[^\\"]+)" 
  | fields corrId | format ]

Note: I also corrected the regex to properly extract the apiName field.

RichG
  • 4,202
  • 1
  • 12
  • 23
  • Thanks a Lot for your Answer, as per my even logs field name is "x-xxxCorrId" instead of "corrId". i had tried with above query to replace "correId with" "x-xxxCorrId" but i am getting the following syntax error like-- Error in 'rex' command: Encounter the following error while compiling rex 'x-xxxCorrId\":\"(?[^\"]+)" Regex: syntax error in subpattern name (missing terminator).. i have tried out many ways still not resolved – Nanireddy Thadi Oct 05 '20 at 13:12
  • The embedded quotation marks need additional escaping. I've modified the answer. – RichG Oct 05 '20 at 13:24
  • this time got the following error like -- Error in 'SearchParser': Mismatched ']'. Below one is the query I used -- index=test_srh source=policy.log | rex "x-xxxCorrId\\":\\"(?[^\\"]+)" | where [ search index = "test_srh source=policy.log | rex "apiName\":\"(?[^\"]+)" | search name="api1" | rex "x-xxxCorrId\\":\\"(?[^\\"]+)" | fields x-xxxCorrId| format ] – Nanireddy Thadi Oct 05 '20 at 13:55
  • Try adding another escape character for each embedded quotation mark. Also, try to avoid using hyphens in field names. – RichG Oct 05 '20 at 14:17
  • now again getting the first time error-- Error in 'rex' command: Encounter the following error while compiling rex 'x-xxxCorrId\":\"(?[^\"]+)" Regex: syntax error in sub pattern name (missing terminator). I am not sure why it is appearing – Nanireddy Thadi Oct 05 '20 at 14:30
  • Why are there single quotes around the field name within `rex`? That's not valid regex. Try `rex "x-xxCorrId\\":\\"(?[^\\"])"`. – RichG Oct 05 '20 at 14:44
  • it seems copy paste issue in the above comment, have not used single quotes around the field name. still getting the same kind of error. when i tried to remove hypen in field name, getting error like this-- Error in 'where' command: The expression is malformed. An unexpected character is reached at ')' – Nanireddy Thadi Oct 06 '20 at 09:48
  • Using 3 escape characters works in my sandbox (Splunk 8). Try this run-anywhere example: `| makeresults | eval data="{ \"corrId\":\"12345\", \"traceId\":\"srh-1\", \"apiName\":\"api1\" }; { \"corrId\":\"69863\", \"traceId\":\"srh-2\", \"apiName\":\"api2\" }; { \"corrId\":\"12345\", \"traceId\":\"srh-3\", \"apiName\":\"api3\" }" | eval data=split(data,";") | mvexpand data | eval _raw=data | rex "apiName\":\"(?[^\"]+)" | search name="api1" | rex "corrId\\\":\\\"(?[^\\\"]+)" | fields corrId | format` – RichG Oct 06 '20 at 13:23
  • thanks a lot for your patience, i also following the same way you did but not sure why it has not been working for me. – Nanireddy Thadi Oct 06 '20 at 16:45