Splunk Search

How to add a field from a previous line to every logged event/line?

NK_1
Path Finder
I would like to associate the "ip" field with every log line, i.e.

Current source log format:

1227.125106.091263 ip=0xAABBCCDD
1227.125106.091264 X=7524.9
1227.125106.091265 X=11033.4 
1227.125106.091266 Y=11357.4
1227.125606.116667 ip=0xBBCCDDEE
1227.125606.116668 X=7414.8
1227.125606.116669 X=11055.9
1227.125606.116670 Y=9739.3

(there are additional junk fields, and additional junk lines beteween the lines above, in the actual logs)

My preferred log format for Splunking:

1227.125106.091263 ip=0xAABBCCDD, X=7524.9
1227.125106.091263 ip=0xAABBCCDD, X=11033.4
1227.125106.091263 ip=0xAABBCCDD, Y=11357.4
1227.125606.116667 ip=0xBBCCDDEE, X=7414.8
1227.125606.116667 ip=0xBBCCDDEE, X=11055.9
1227.125606.116667 ip=0xBBCCDDEE, Y=9739.3

So do I do something like this? What do I specify in place of "????" below?

...search... | "ip" OR "X" OR "Y" | append [????] | ...

Or like this?

...search... | "ip" OR "X" OR "Y" | strcat ???? | ...
0 Karma

wdhathaway
Explorer

If your real goal is to be able to search on any combination of IP/X/Y, then I think you can support that by using the splunk transaction command. That wouldn't change the raw text of your lines (which isn't really Splunk's bag so to speak), but does allow you to search upon data that might be spread across lines as well as viewing them grouped together.

Using a transaction, you could search against X=7524.9 and see the associated IP and Y values, or use ip=0xBBCCDDEE and see the associated X and Y values, etc.

0 Karma

myli12
Path Finder

I have a similar question but need a report instead of changing the raw data

ip X/Y
0xAABBCCDD 7524.9
0xAABBCCDD 11033.4
0xAABBCCDD 11357.4
0xBBCCDDEE 7524.9
...

Is there a way to generate a report?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...