Splunk Search

Combining events into one

echalex
Builder

We're experiencing a problem with having indexed data with the default MAX_EVENTS value of 256. While this can be fixed in the configuration for new events, is there any way of combining e.g. a java stack trace of say 2000+ lines, which has been split up into tens of events, when searching?

Since we have already indexed a whole lot of logs, I'd hate to re-index it all again.

Tags (2)
1 Solution

hazekamp
Builder

echalex,

Unfortunately, If you have indexed data based on non-optimal or incorrect line breaking, there is not much that can be done via search to reliably reconstruct your data. You may be able to use the "transaction" command to create a single event as long as each event matches the criteria you are using to build the transaction.

For instance if you wanted to create a single event from multiple events from the same source, same time, and had some type of additional identifier like java_id:

| transaction _time,source,java_id 

View solution in original post

hazekamp
Builder

echalex,

Unfortunately, If you have indexed data based on non-optimal or incorrect line breaking, there is not much that can be done via search to reliably reconstruct your data. You may be able to use the "transaction" command to create a single event as long as each event matches the criteria you are using to build the transaction.

For instance if you wanted to create a single event from multiple events from the same source, same time, and had some type of additional identifier like java_id:

| transaction _time,source,java_id 

echalex
Builder

I noticed I hadn't thanked you for the informative answer.
So thank you. 🙂 (Better late than never, eh?)

0 Karma

merugu448
Engager

Thank you!!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...