Splunk Search

Is it possible to aggregate and search within aggregated results?

sohymg
New Member

My app logs multiple lines per request and each line has a "request_id" key for identification. For each request, there is an optional log line that contains a "session_id" key. How do I search to show all the log lines of a particular request which includes the "session_id" key?

Example:
request_id=1, msg=A
request_id=1, msg=B
request_id=2, msg=C, session_id=1
request_id=2, msg=D

Wanted result:
request_id=2, msg=C, session_id=1
request_id=2, msg=D

0 Karma

jkat54
SplunkTrust
SplunkTrust
| eval r=_raw
| fields - _time _raw
| makemv r delim="request_" 
| mvexpand r 
| rex field=r "id=(?<request_id>\d+)\,\s+msg=(?<msg>\w+)(\,\s+session_id=(?<session>\d+))?" 
| rex field=r mode=sed "s/^id=/request_id=/g"
| search request_id=2 
| fields r
0 Karma

sohymg
New Member

I get some rows but they are empty.

0 Karma

DalJeanis
Legend

Your text says session_id but your example says session=. adonio's answer assumed the example data was correct, as opposed to your written description.

0 Karma

adonio
Ultra Champion

Hello sohymg,
indicate in your search that you are looking for events with the session field

index = <yourIndex> sourcetype = <yourSourcetype> request_id=* msg=* session=* | table _time host request_id msg session

hope it helps

0 Karma

sohymg
New Member

I tried this and there was no result. Just to clarify:

This is the entire dataset:
request_id=1, msg=A
request_id=1, msg=B
request_id=2, msg=C, session=1
request_id=2, msg=D

This is the result I need:
request_id=2, msg=C, session=1
request_id=2, msg=D

0 Karma

adonio
Ultra Champion

did you replace the values for index and sourcetype to match yours?

0 Karma

sohymg
New Member

Sorry there was some typo. I got it to work but the result is not what i want

Returned result:
request_id=2, msg=C, session=1

This is the result I need:
request_id=2, msg=C, session=1
request_id=2, msg=D

0 Karma

adonio
Ultra Champion

so to be clear, what you would like to see is: if you have a value of 1 under the session field (session=1) then you want to see all events with request_id=2. is that correct?

0 Karma

sohymg
New Member

Yes thats correct

0 Karma
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...