Refine your search:

I am new to splunk .

I am trying to search some events in splunk,What I want is get all results which have field "co_relation_id" .One "co_relation_id" value is present in 4 to 6 different events.

I want to filter (sub search from those 4 to 6 records) and get just one specific record for each unique co_relation_id.

What function shall I use here,I need to use some specific search criteria for my sub-search

for instance when I type "co_relation_id" in search bar I get following results:

co_relation_id="A" record 1 co_relation_id="A" record 2 co_relation_id="A" record 3 co_relation_id="A" record 4 co_relation_id="B" record 1 co_relation_id="B" record 2 co_relation_id="B" record 3 co_relation_id="B" record 4

From all above I want two records co_relation_id="A" record 4 and co_relation_id="B" record 4

Thanks,

asked 07 May '13, 14:32

revatiy's gravatar image

revatiy
211
accept rate: 0%

Thank you!

(07 May '13, 15:35) revatiy

One Answer:

If record 4 is always the last record/event you are interested in you could try this:

base search | stats last(_raw) by co_relation_id

last(_raw) will give you the entire record/event if there is a specific field you are interested in you can use that instead of _raw

An example using the _internal index of Splunk would be:

index=_internal source="/opt/splunk/var/log/splunk/metrics.log" | stats last(_raw) as myraw by group

If you do not want to display the co_relation_id (group in the example):

index=_internal source="/opt/splunk/var/log/splunk/metrics.log" | stats last(_raw) as myraw by group | fields myraw
link

answered 07 May '13, 14:48

chris's gravatar image

chris
3.1k8737
accept rate: 41%

edited 07 May '13, 15:33

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×1,057

Asked: 07 May '13, 14:32

Seen: 298 times

Last updated: 07 May '13, 15:35

Copyright © 2005-2014 Splunk Inc. All rights reserved.