Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I group log entries together when fields are not clearly delineated?

swerner
Explorer
‎05-07-2010 10:56 PM

I am evaluating Splunk for use in monitoring application logs and am wondering if it is possible to group together lines like the following relating the numbers in bold to each other and text in bold to each other.

[29/Apr/2010:00:01:18][8456.-243491648][-conn2-] Notice: db_scoped_select_query: 3 976122186 0 0 53.14 select items-list-main-count_advanced 0.081 0.002 version_list_criteria 1

[29/Apr/2010:00:01:18][8456.-243491648][-conn2-] Notice: Time-log, 2, 976122186, 0, 0, 53.14, /items/list-main, role_employee_rw_no_version_buyer, employee, 0.05, 0.25, 0.07, 0.23, 0.61, 19789, 66, items-list-main-count_advanced, select, 0.08, 623094, 433285

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎05-11-2010 04:46 AM

If they are in the same log file - are they both comma separated or does only the 2nd event have its fields separated by commas? I ask because if all values in the log file are separated by commas it may be even easier to do your field extractions. I strongly encourage field extractions first so you'll be setup for future successes.

If you're only trying to show the grouping is possible, even before you learn about the field extractions, you could do this

976122186 items-list-main-count_advanced | eval glue="fragileSolution" | transaction glue

...with the understanding that it is a fragile solution.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎05-11-2010 04:46 AM

If they are in the same log file - are they both comma separated or does only the 2nd event have its fields separated by commas? I ask because if all values in the log file are separated by commas it may be even easier to do your field extractions. I strongly encourage field extractions first so you'll be setup for future successes.

If you're only trying to show the grouping is possible, even before you learn about the field extractions, you could do this

976122186 items-list-main-count_advanced | eval glue="fragileSolution" | transaction glue

...with the understanding that it is a fragile solution.

0 Karma
Reply
Solved! Jump to solution

swerner
Explorer
‎05-11-2010 08:52 PM

I will plan to pursue field extractions. Thanks for your help

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎05-08-2010 07:44 PM

Is there any reason why you're not extracting the bold values as fields?

If you havent already, read through this section about fields and subsequent sections about search-time field extractions. http://www.splunk.com/base/Documentation/latest/Knowledge/Aboutfields

Once those values are correctly extracted, everything becomes a lot easier. For instance if the 976122186 value is extracted as a field called session_id this boils down to just: 

<your search> | transaction your_extracted_id_field
Reply
Solved! Jump to solution

swerner
Explorer
‎05-11-2010 08:51 PM

I am planning to pursue field extractions. Thanks for the link.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...