Concatenate subsequent values of a field within a ...

uxYcF · ‎10-07-2013

I have a log with requests with an ordernumber and a response. The response is: 100 - success or 1400,1401,1402 - various errors, eg: 1401 - re-ordering not possible).

2013/10/07 13:42:57,Request with orderNr:13014471; ResponseCode:1401
2013/10/07 13:42:56,Request with orderNr:13014471; ResponseCode:1401
2013/10/07 13:42:55,Request with orderNr:13014471; ResponseCode:100
2013/10/07 13:42:17,Request with orderNr:13035512; ResponseCode:100
2013/10/07 13:40:36,Request with orderNr:13035513; ResponseCode:100

I group similar requests in one transaction:

Request with orderNr | rex field=_raw "Request with orderNr:(?<orderNr>.*); ResponseCode:(?<response>.*)" | transaction orderNr maxspan=1h

How can I concatenate the subsequent values of the ResponseCode field within each transaction? With above I want to make a variable per transaction that contains the values "100 1401 1401", "100", "100"?

I want to count these and put them in a table:

subseqresp       count
100              2
100 1401 1401    1

Any help is welcome!

Solution

It works better without a transaction:

Request with orderNr | rex field=_raw "Request with orderNr:(?<orderNr>.*); ResponseCode:(?<response>.*)" | stats list(response) as subseqresp by orderNr | mvcombine subseqresp | chart count by subseqresp

sowings · ‎10-07-2013

I'd start with the mvlist argument to transaction, then you can do eval commands or perhaps mvexpand to get back to a list you can run stats on to get counts.

Concatenate subsequent values of a field within a transaction

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk