Solved: transaction or join where the search field changes...

stewartevans · ‎05-20-2015

Hi I have a log with entries similar to below

11:32:12,988 INFO [LOG TYPE: REQUEST] [REQUEST ID:46783e96-e146-4d35-9a3a-5ff95226a8bb] ...
11:32:14,364 SEVERE [LOG TYPE:EXCEPTION] [REQUEST ID:46783e96-e146-4d35-9a3a-5ff95226a8bb] ...
11:32:14,364 INFO [LOG TYPE:RESPONSE] [REQUEST ID:46783e96-e146-4d35-9a3a-5ff95226a8bb] ...

What I'm looking for is a search which displays all 3 which have the same REQUEST ID if it finds a SEVERE or LOG TYPE:EXCEPTION

Transaction almost sounds like what I want so I tried the following

sourcetype=cas SEVERE | transaction RequestId maxspan=5s maxpause=5s

However this only brings back the SEVERE entry.

Is there a way to do this with transaction or should I be looking at JOIN?

Thanks for your assistance

acharlieh · ‎05-20-2015

Comment for now as I'm half asleep spinning a theory:

One thought is search for all records with a RequestId, do the transaction, and then use either a search or where command to filter the results to only include those. e.g.

sourcetype=cas RequestId=* | transaction RequestId ...   | search SEVERE

View solution in original post

acharlieh · ‎05-20-2015

Comment for now as I'm half asleep spinning a theory:

One thought is search for all records with a RequestId, do the transaction, and then use either a search or where command to filter the results to only include those. e.g.

sourcetype=cas RequestId=* | transaction RequestId ...   | search SEVERE

stewartevans · ‎05-20-2015

acharlieh you are a genius! It works!!

acharlieh · ‎05-20-2015

Well excellent then! converted comment to an answer.

stewartevans · ‎05-20-2015

Cheers, thanks for such a quick response

transaction or join where the search field changes but another field is common

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor