Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

search across multiple events and present it in report

runiyal
Path Finder
‎03-14-2016 10:36 AM

Hello,

I have a logfile with events -

2016-03-14 12:44:44,105 INFO [catalina-exec-5] Initiate UploadProcess
---Multiple Lines---
2016-03-14 12:44:45,147 [catalina-exec-5] Uploading file to system from stream.
---Multiple Lines---
2016-03-14 12:44:55,246 [catalina-exec-5] File already exists in the location
---Multiple Lines---
Caused by: org.springframework.dao.DuplicateKeyException:

I need to create a report that Looks at "UploadProcess" from the First event and then either "File already exists in the location" OR "DuplicateKeyException" from other events.

How to search across multiple events and present it in report

Thanks!

Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-14-2016 11:24 AM

Assuming "File already exists in the location" and "DuplicateKeyException" are both present in the same set of events, the transaction command should do the job for you.

your search | transaction startswith="Initiate UploadProcess" endswith="File already exists in the location" | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

runiyal
Path Finder
‎03-15-2016 07:18 AM

Hello Rich,

This query is working -

your search | transaction startswith="Initiate UploadProcess" endswith="File already exists in the location" | timechart count by day

Problem is it's very slow. How can we tune this query.

Thanks!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-15-2016 09:36 AM

How slow is "very slow"? If you're searching a large amount of data then you should expect it to be slow.
An entire course could be taught on tuning queries (not by me)but here are some tips. Try to make your base search as specific as possible so unneeded events are ignored. Avoid "all time" and "index=*" searches. Click on "Inspect Job" after your search completes to see where it is spending the most time.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-14-2016 11:03 AM

Is there any identifier linking the event Caused by: org.springframework.dao.DuplicateKeyException: to the event 2016-03-14 12:44:44,105 INFO [catalina-exec-5] Initiate UploadProcess?

Obligatory: https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo...

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...