- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Grouping results with blank lines between each ite...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Currently I am going through a logfile, grouping by source and displaying the errors for that source. It basically looks like this:
logs\error.log | 123 ERROR: something went wrong
| 124 ERROR: 2309453250 )#UT%R)%)# invalid text
logs\info.log | 567 blah was restarted
What I would like it to look like, is
logs\error.log | 123 ERROR: something went wrong
|
| 124 ERROR: 2309453250 )#UT%R)%)# invalid text
| (this blank line can be here or not, doesn't matter too much)
logs\info.log | 567 blah was restarted
The reason for this is the table becomes massive and it's really hard to distinguish the different errors, as this search is emailed out and also a PDF report is generated.
I'm probably going the complete wrong way about this, and I'm guessing the join is because I'm doing list(). I've read a few things about using appendpipe, should I be doing something like that with each result or maybe a subsearch on _raw which returns each line plus a blank result? Each error is a single event, so ideally, I'd grab every error, with a "blank" error and just throw them all in a list.
Here is my query if it helps:
index=myindex ERROR tag::host="myhost"
| stats list(_raw) by source tag::host host
| rename tag::host as tag
| eval Hostname=tag + " (" + host + ")"
| rename list(_raw) as Errors
| rename source as Source
| dedup Source
| eval UtcTime=strftime(now(),"%d/%m/%Y %H:%M UTC")
If anyone could help me out or at least point me in the right direction, that would be great.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's a strategy that will take each detail line and add another blank line after it.
index=myindex ERROR tag::host="myhost"
| fields tag::host host source
| rename tag::host as tag, source as Source
| rename COMMENT as "got the fields removed and renames done early"
| rename COMMENT as "duplicate the record, sort them then blank out the second one"
| eval switch=mvappend("A","B")
| mvexpand switch
| sort 0 Source tag host _time switch
| eval _raw=if(switch="A",_raw," ")
| rename COMMENT as "roll them up, then clean up the format"
| stats list(_raw) as Errors by Source tag host
| eval Hostname=tag + " (" + host + ")"
| table Source Hostname Errors
| sort 0 Source Hostname Errors
I removed thededup on Source - that will give you only the first Hostname for each Source. Put it back in if that's what you want.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's a strategy that will take each detail line and add another blank line after it.
index=myindex ERROR tag::host="myhost"
| fields tag::host host source
| rename tag::host as tag, source as Source
| rename COMMENT as "got the fields removed and renames done early"
| rename COMMENT as "duplicate the record, sort them then blank out the second one"
| eval switch=mvappend("A","B")
| mvexpand switch
| sort 0 Source tag host _time switch
| eval _raw=if(switch="A",_raw," ")
| rename COMMENT as "roll them up, then clean up the format"
| stats list(_raw) as Errors by Source tag host
| eval Hostname=tag + " (" + host + ")"
| table Source Hostname Errors
| sort 0 Source Hostname Errors
I removed thededup on Source - that will give you only the first Hostname for each Source. Put it back in if that's what you want.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thank you so much for your reply. I put a literal new line in the query on my mvjoin (changed it up quite a bit yesterday) and it worked well in the initial email, though if it was truncated and you clicked 'view entire message' on gmail, it would remove the spacing. This works perfectly!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just a note to everyone else though, this is email client dependant. Windows mail on Windows 10 and Outlook (office 365) don't seem to put the blank lines it. I'm going to blame Microsoft 😄
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you needed to enforce having those blank lines in every format, then you could do something like this...
| eval _raw=if(switch="A",_raw," - ")
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
