KVL
Reputation: 113
Merging multiple Splunk results
I need to write a Splunk query to get the status when given pid, last status should be printed,wrote individual queries to fetch the status but dnt know how to merge the queries.referred few docs but couldn't find a way.
"##payto"|rex field=msg "personid :(?<pid>[^,]+)" |rex field=msg ",(?<status>[^,\]]+)
//if this status is SUCCESS then i need to check for status of next step else i need to print this status
"Event :start"|rex field=msg "personid :(?<pid>[^,]+)"|rex field=msg " Status :(?<status>[^,]+)"
//if response is 200 then need to go to next step else print this status
Upvotes: 0
Views: 455
Answers (1)
Chenry Lee
Reputation: 380
Please try this:
| rex field=msg "personid :(?<pid>[^,]+)"
| rex field=msg ",(?<status>[^,\]]+)
| join type=left pid
[search "Event :start"
| rex field=msg "personid :(?<pid>[^,]+)"
| rex field=msg " Status :(?<status_2nd>[^,]+)"
| table pid, status_2nd
]
| eval status=if(status=200,status_2nd,status)
| table pid,status
P.S. I cannot remember the exact syntax of function if . :(
Upvotes: 0
Related Questions
- How to add multiple queries in one search in Splunk
- Splunk: combine fields from multiple lines
- How to merge two stats by in Splunk?
- Splunk: Stats from multiple events and expecting one combined output
- Splunk query based on the results of another query
- Splunk: Duplicate Fields, different fields - merge
- How to append two queries in splunk?
- show results from two splunk queries into one
- How to combine two queries in Splunk?
- Splunk combining multiple logs