Splunk subsearch for regex outputs - search

I want a single search query for below splunk query.
First search will give me a dynamic field myorderid
index=mylog "trigger.rule: Id - * : Unexpected System Error" | rex field=_raw "Id -""(?[^:]*)" | table myorderid
I want to pass the above myorderid in below search criteria
index=mylog API=Order orderid=myorderid
Can anyone please help me to create a single query using subsearch in splunk.

Have you tried the obvious?
index=mylog API=Order orderid=
[ search index=mylog "trigger.rule: Id - * : Unexpected System Error"
| rex "Id - (?<myorderid>[^:]*)" | fields myorderid ]

Related

Splunk rex Search - Unable to tabulate because of NULL

I want to extract "TimesAccesed" from the message field.
Message: PublicDomainAPI.SaveAsync: progresses = [{"UserGuid":"0a062514-def3-4ae5-9092-asd12easd","CourseId":"c71f6538-e379-447e-aaf3-asd1dasd","Status":"InProgress","UserScore":1,"TotalTime":"0:23:45","TimesAccessed":null,"CompletionDate":null,"LastTimeAccessed":"2022-07-23T09:59:12.191+00:00","SuccessStatus":"Pass","Bookmark":"en","SuspendData":null,"Progress":null,"RegistrationDate":"2022-07-23T09:59:12.191+00:00","RegistrationNumber":1}], total: 1
I used | rex field=Message "\"TimesAccessed\"\:\"(?<TimesAccessed>[^\"]+)"
But I am not getting tabulated results because my data has NULL.
The same works for other fields like
| rex field=Message "\"TotalTime\"\:\"(?<TotalTime>[^\"]+)"
| rex field=Message "\"CourseId\"\:\"(?<CourseId>[^\"]+)"
Checking your regex on regex101 shows that it fails - you're looking to match a literal ", but it's not there for your "null" value
This regular expression is both simpler to read, and pulls what you're looking for (without the extraneous comma):
| rex field=Message "TimesAccessed[[:punct:]]+(?<TimesAccessed>[^\",]+)"
Use the [[:punct:]] character class to match any punctuation between the text you're trying to match

KQL query, how to extend information from rendereddescription

I want to extend the query result with specific values, but I do not know how to get only a fragment of information, the one that is in the screen, that is, for example, from the "rendereddescription" section, I only need information about "server_principal_name" and assign it to some value, e.g. "user" and this I know this needs to be resolved | extend "variable name" = i here i do not know what the syntax is.enter image description here
you can use the parse operator: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/parseoperator
for example:
print RenderDescription = #"... 0000000000 session_server_principal_name:ABB\HPAM-TCS-DB10 server_principal_sid:01050000000 ...."
| parse RenderDescription with * "session_server_principal_name:" session_server_principal_name " " *
RenderDescription
session_server_principal_name
... 0000000000 session_server_principal_name:ABB\HPAM-TCS-DB10 server_principal_sid:01050000000 ....
ABB\HPAM-TCS-DB10

How to fix 'error: Error: syntax error - at value'

I have objects like:
address: {
"phone" : 888,
"value" : 12
}
And in WHERE i need to find objects by address.value, but in SQL there's function value(), so i always get an error.
I do it from node.js. Are there any variants to solve this without changing objects?
Sql request like:
SELECT count(*) as size FROM addresses WHERE address.value = 12
VALUE is a reserved word. If you want to use it as a common identifier, you need to enclose it in backticks:
SELECT count(*) as size FROM addresses WHERE address.`value` = 12

Using Match in a sqlite fts5 query but need more control over ranking?

I have a virtual table created using fts5:
import sqlite3
# create a db in memory
con = sqlite3.connect(':memory:')
con.execute('create virtual table operators using fts5(family, operator, label, summary, tokenize=porter)')
# some sample data
samples = {'insideTOP':
{'label':'Inside',
'family':'TOP',
'summary':'The Inside TOP places Input1 inside Input2.'
},
'inTOP':
{'label':'In',
'family':'TOP',
'summary':'The In TOP is used to create a TOP input.'
},
'fileinSOP':
{'label':'File In',
'family':'SOP',
'summary':'The File In SOP allows you to read a file'
}
}
# fill db with those values
for operator in samples.keys():
opDescr = samples[operator]
con.executescript("insert into operators (family, operator, label, summary) values ('{0}','{1}','{2}','{3}');".format(opDescr['family'],operator,opDescr['label'],opDescr['summary']))
with following columns
+--------+-----------+------------+----------------------------------------------+
| family | operator | label | summary |
+--------+-----------+------------+----------------------------------------------+
| TOP | insideTOP | Inside | The Inside TOP places Input1 inside Input2.|
| TOP | inTOP | In | The In TOP is used to create a TOP input. |
| SOP | fileinSOP | File In | The File In SOP allows you to read a file |
+--------+-----------+------------+----------------------------------------------+
an example query is:
# query the db
query = "select operator from operators where operators match 'operator:In*' or operators match 'label:In*' order by family, bm25(operators)"
result = con.execute(query)
for row in result:
print(row)
And as a result I get
fileinSOP
insideTOP
inTOP
For this particular case though, I'd actually like the 'inTOP' to appear before the 'insideTOP' as the label is a perfect match.
What would be a good technique to be able to massage these results the way I'd like them?
Thank you very much
Markus
maybe you can put your order rule in the question.
If you use bm25 to order your results, you can't achieve the result you want
I suggest you that you can use your custom rank function, like below sql:
query = "select operator from operators where operators match 'operator:In*' or operators match 'label:In*' order by myrank(family, operators)"
define a custom rank function is very easy in fts5, you can follow the guide in the fts5 website.
if you also want bm25 result as a rank score, you can get the score in the rank method can calculate your final score.

SSS_INVALID_SRCH_FILTER_JOIN when using filter expression on joined custom field

SuiteScript v1.
Searching on the item record type.
customrecord_sp_ecom_item_infoseo is a custom record type with a field called custrecord_sp_ecom_item_seo that references an item record. It also has a field called custrecord_sp_ecom_description, which is of type text.
I want to search for the items where the word "frozen" appears in custrecord_sp_ecom_description in the linked customrecord_sp_ecom_item_infoseo record and I want to use filter expressions.
Here's my expression:
[
[
"customrecord_sp_ecom_item_infoseo.custrecord_sp_ecom_description",
"contains",
"frozen"
]
]
And here's the error I get:
{"error" : {"code" : "SSS_INVALID_SRCH_FILTER_JOIN", "message" : "An nlobjSearchFilter contains an invalid join ID, or is not in proper syntax: custrecord_sp_ecom_description."}}
If I change the expression to:
[
[
"isonline",
"is",
true
]
]
then it works fine, albeit with the wrong results. So I know filter expressions can work, there's just something wrong with my expression.
How can I make it work?
When using the dot syntax for joins in filter expressions, the prefix of the dot is the ID of the field you are joining through, not the ID of the record type you are joining to (as it looks like you have here).
So, if I am searching Invoices, but I want to filter on the Sales Rep from the related Sales Order, it would look something like:
[
[ 'createdfrom.salesrep', 'anyof', salesReps]
]
Notice that it's not salesorder.salesrep, but rather createdfrom.salesrep because the createdfrom field is what links the record I am searching (Invoices) to the record I am joining (Sales Order). The same applies when using custom records. Your join will be something like custrecord_fieldid.custrecord_sp_ecom_description rather than using the record type.

Resources