I have a wrapper script calling actual script & have 2 log files corresponding to it & i need a way to correlate them and show them in a single splunk search for failed run.
For example, I have a log called wrapper__22238.log inside which i have Status message along with a runID which will be the keyword to correlate with child log : worker.log
Sample wrapper_JOB1_22238.log :
2021-05-25 05:19:59.817 INFO : Got response: Job: JOB1, runID: 1001-751b81bf-9d79-4283-b700-74e0c10c472a, Timeout: 7199, Request Time: 2021-05-25 04:19:03.333, Start Time: 2021-05-25 04:19:04.726, Status: RUNTIME_ERROR, Total Time: 3645869 ms
worker.log :
[Date=25/May/2021 04:19:06] [THREAD=61] [runID=1001-751b81bf-9d79-4283-b700-74e0c10c472a] [STEP=Write to Target] [status=ERROR] [Error copying the file to the destination /app/logis/internal/: /app/logis/internal/carrier_1456.out.gz (No such file or directory)]
Is there someway to retrieve both logs by just searching based on Job Name(JOB1 above) ?
Assuming I will always have runID: in the wrapper status call and worker log will have that tagged in every transaction.
Thank you for any assistance.
Below SubQuery approach helped in my case :
(index=foo source=*worker* [search index=foo source=wrapper_JOB1* | stats max(runID) as runID] status=ERROR)
OR
(index=foo source=wrapper_JOB1*)