Hi there
A query, you can do something like a "transaction where"
For example, all of the following logs, merged with the exception of those with the "dst" field
Aug 27 17:42:40 172.24.20.35 sessionid=53f2b45b0526 sender=jorge@domain.com
Aug 27 17:42:40 172.24.20.35 sessionid=53f2b45b0526 subject="regards"
Aug 27 17:42:40 172.24.20.35 sessionid=53f2b45b0526 size=452132
Aug 27 17:42:40 172.24.20.35 sessionid=53f2b45b0526 dst=luis@example.com
Aug 27 17:42:40 172.24.20.35 sessionid=53f2b45b0526 dst=jhon@example.com
Aug 27 17:42:40 172.24.20.35 sessionid=53f2b45b0526 dst=alex@example.com
Whereas should continue to show the logs have "dst"
PS: Skip APPEND
Can you try:
(your search params) | eval dst=if(isnull(dst),"NULL", dst) | transaction sessionid dst
Regards,
Olivier
Can you try:
(your search params) | eval dst=if(isnull(dst),"NULL", dst) | transaction sessionid dst
Regards,
Olivier
Have a look at http://answers.splunk.com/answers/26330/multi-line-event-field-extraction , it might help you.
Hi OL
A query, something that allows me to split the merged logs?
That is, after the transaction
make a | where isNull(src)
and those who do not have that field, I want to divide them. I tried with mvexpand
but this divided field, what I want is to divide the entire log.
Maybe some command that divide through a regex
haha!
It was so simple that I forgot that I could be.
thank you very much
Hi Thanks
I need to have merged all logs that do not have the "dst" field, but must be followed showing those who do have
this looks like a very simple transaction on the sessionid, if you don't want dst, then you could just throw a NOT in there;
(your search params) dst!=* | transaction sessionid
Are there any other field based on which you need to merge them?