How to Build Splunk Search Query for below Scenario

Question

I am able to get the multiple events (api's logs) in splunk dashboard like below

event-1:

{ "corrId":"12345", "traceId":"srh-1", "apiName":"api1" }

event-2:

{ "corrId":"69863", "traceId":"srh-2", "apiName":"api2" }

event-3:

{ "corrId":"12345", "traceId":"srh-3", "apiName":"api3" }

I want to retrieve corrId (ex:- "corrId":"12345") dynamically from one event (api log)by providing apiName and build splunk search query based on retrieved corrId value that means it will pull all the event logs which contains same corrId ("corrId":"12345").

Output

In above scenario expected results would be like below

event-1:

{ "corrId":"12345", "traceId":"srh-1", "apiName":"api1" }

event-3:

{ "corrId":"12345", "traceId":"srh-3", "apiName":"api3" }

I am new to splunk, please help me out here, how to fetch "corrId":"12345" dynamically by providing other field like apiName and build Splunk search query based on that.

I have tried out like below, but to no luck.

index = "test_srh source=policy.log [ search index = "test_srh source=policy.log | rex field=_raw "apiName":|s+"(?[^"]+)" | search name="api1" | table corrId]

This query gives event-1 log only but we need all other events which contain same corrId ("corrId":"12345"). Appreciate quick help here.

Answer 1

Given you're explicitly extracting the apiName field, I'll assume the corrId field is not automatically extracted, either. That means putting corrId="12345" in the base query won't work. Try index=test_srh source=policy.log corrId="12345" to verify that.

If the corrId field needs to be extracted then try this query.

index=test_srh source=policy.log 
| rex "corrId\\":\\"(?<corrId>[^\\"]+)"
| where [ search index = "test_srh source=policy.log 
  | rex "apiName\":\"(?<name>[^\"]+)" 
  | search name="api1" 
  | rex "corrId\\":\\"(?<corrId>[^\\"]+)" 
  | fields corrId | format ]

Note: I also corrected the regex to properly extract the apiName field.