I'm using splunk enterprise web (GUI) and I am filtering through some logs of an API. The API has (2) types of logs - one is "My Api Response", which logs the API JSON response output, and the other is "My Api Request", which logs the input JSON. The issue I am investigating is some of my API Request logs contain null values for a key/value pair or field in the log called "carId":null.
The log in Splunk Web for both response/request looks something like this. Both have a "carId" field that I wanted to JOIN or do some kind of match on so I can investigate both request and response logs of the API:
{"carId":123456789,"make":"toyota","year":"2015","model":"camry","value":25000.00}
I tried doing a few Slunk Queries like:
index=MyIndex* source="my/source/path/to/app.log" "My Api Request" AND "\"carId\":null" OR "My Api Response"
.... but I can never get both logs. It just gives me 1 or the other no matter what.
I was able to filter out the "carId" field with a query like this:
index=rtm* source="my/source/path/to/app.log" "My Api Request" "\"carId\":null,"
| rex field=_raw "(\"carId\":)(?<carIdField>[0-9]{1,9})"
| table carIdField
...but I want to use this extracted carId for my subsearch so I can further filter "My Api Responses" that only contain this carId
or is there an easier way? I'm reading the Splunk documentation and StackOverflow posts and Splunk posts, but it's kind of confusing.
As I said above, I basically want to have both these requests (My Api Request and the My Api Response logs) ordered by Timestamp so I can see the API Requests that only had a null value for carId (I don't care about the ones that had real values, since that is expected) and I want to see the corresponding Api Response that correlates to that request (that would have the same carId). I guess another issue is I can have duplicate My Api Request or My Api Response logs, as it will log each time someone clicks/POSTS to the API, so it would be nice to filter those out, but I suppose for starters it would be nice to get a working query.
