- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to write a search to merge logs with transacti...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there
A query, you can do something like a "transaction where"
For example, all of the following logs, merged with the exception of those with the "dst" field
Aug 27 17:42:40 172.24.20.35 sessionid=53f2b45b0526 sender=jorge@domain.com
Aug 27 17:42:40 172.24.20.35 sessionid=53f2b45b0526 subject="regards"
Aug 27 17:42:40 172.24.20.35 sessionid=53f2b45b0526 size=452132
Aug 27 17:42:40 172.24.20.35 sessionid=53f2b45b0526 dst=luis@example.com
Aug 27 17:42:40 172.24.20.35 sessionid=53f2b45b0526 dst=jhon@example.com
Aug 27 17:42:40 172.24.20.35 sessionid=53f2b45b0526 dst=alex@example.com
Whereas should continue to show the logs have "dst"
PS: Skip APPEND
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try:
(your search params) | eval dst=if(isnull(dst),"NULL", dst) | transaction sessionid dst
Regards,
Olivier
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try:
(your search params) | eval dst=if(isnull(dst),"NULL", dst) | transaction sessionid dst
Regards,
Olivier
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have a look at http://answers.splunk.com/answers/26330/multi-line-event-field-extraction , it might help you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi OL
A query, something that allows me to split the merged logs?
That is, after the transaction make a | where isNull(src) and those who do not have that field, I want to divide them. I tried with mvexpand but this divided field, what I want is to divide the entire log.
Maybe some command that divide through a regex
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
haha!
It was so simple that I forgot that I could be.
thank you very much
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Thanks
I need to have merged all logs that do not have the "dst" field, but must be followed showing those who do have
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this looks like a very simple transaction on the sessionid, if you don't want dst, then you could just throw a NOT in there;
(your search params) dst!=* | transaction sessionid
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are there any other field based on which you need to merge them?
New in Observability Cloud - Explicit Bucket Histograms
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
