- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Combining Search Results (from a single Search)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Combining Search Results (from a single Search)
Hi Friends,
I'm new to SPLUNK, so might be a silly question.
I'm having a search based on an "identifier" which gives me back 3 results. Actually all of these messages were part of a single original "xml" message which got split by an intermediate system before Splunk. Hence I wanted to combine these messages back into the original xml message.
Jun 14 09:00:27 hostname1 identifier=ILOGENGINE_22 Content-Length: 2894 <?xml version="1.0" encoding="utf-8"?><soapenv:Envelope xmlns:soapenv="schemas.xmlsoap.org/soap/envelope/" ><soapenv:Header/><soapenv:Body><ws:notify><ws:request><ws:actionTypeList><ws:genericActionTypes>ABCD</ws:genericActionTypes></ws:actionTypeList><ws:deviceRequest></ws:userAgent>version=1pm_fpua=mozilla/4.0 compatible msie 8.0 windows nt 5.1 trident/4.0 .net clr 1.1.4322 .net clr 2.0.50727...
Jun 14 09:00:27 hostname1 identifier=ILOGENGINE_22 Content-Length: 2894 ..1,4322)</ws:userAgent></ws:deviceRequest><ws:identificationData><ws:userLoginName>abc@gmail.com</ws:userLoginName><ws:userName>testUser</ws:userName><ws:pass>testPass</ws:pass><ws:phoneNumber>XXXXXXXX</ws:phoneNumber><ws:tex...
Jun 14 09:00:27 hostname1 identifier=ILOGENGINE_22 Content-Length: 2894 ...t>some Text message</ws:text></ws:request></ws:notify></soapenv:Body></soapenv:Envelope>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you can decide which field indicates they all belong together such as that identifier field then look at the transaction command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you can ensure the xml portion is going into a field for each event you might could use the eval command to make a new field and combine them back together. This is something that will take experimentation and time. No easy one command answer I am afraid.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I used "identifier=ILOGENGINE_22" to identify the rows. This is not part of the XML as such but row-meta information. But now I want to combine the xml part of these messages.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you see its not pure XML, but combination of headers and XML. Once combined, I can then remove the unwanted elements.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
