Splunk Search

complicated subsearches

htkhtk
Path Finder

I have jboss logs that print a message size everytime jboss restarts. The message size is different everytime jboss starts and a message is displayed:

2010-09-28 02:52:04,992 INFO messageSize=4194304bytes

I have a field extraction for the messageSize.

What I want to do now is pull this kind of log and determine what the message size is based upon the last time jboss started since the log (in case this before 04:43)

2010-09-29 04:43:22,836 INFO Request information [requestid=364a05b7-2beb-4c68-8459-52e6fc4612b3]

I am able to pull one request and it's message size using the following splunk query: (Although I can't get the request id printed in the table)

sourcetype="server09282010" [search sourcetype="server09282010" 364a05b7-2beb-4c68-8459-52e6fc4612b3 | head 1 | rename _time as latest| fields latest] |   WHERE MessageSizeBytes NOT NULL | head 1 | table _time MessageSizeBytes

What i really want is a table with requestid and Message size (based upon the time when jboss was started)

I hope this makes sense.. it is a complicated query.

Thanks!

Tags (1)
0 Karma

Lowell
Super Champion

I'm not 100% sure that I fully understand what you are trying to do here, one possibility is to use transaction search command:

sourcetype="server09282010" | transaction startswith=(INFO messageSize) mvlist=requestid | search 364a05b7-2beb-4c68-8459-52e6fc4612b3

you may be able to open the search timeframe slightly, then use stats to pull the values from across events, off the top of my head, I don't know if a specific "latest" value is inclusive of that exact timestamp, if it is then the -1 isn't needed... (This may need some tweaking...)

sourcetype="server09282010" [search sourcetype="server09282010" 364a05b7-2beb-4c68-8459-52e6fc4612b3 | head 1 | eval latest(_time-1) | fields latest] | search MessageSizeBytes=* | head 1 | stats min(_time), values(requestid), list(MessageSizeBytes)
0 Karma

Lowell
Super Champion

You're right about the where clause, that's a new one on me. I did look in the docs and I didn't see that syntax, but its possible I missed it. In any case, I updated my answer and removed that comment.

0 Karma

htkhtk
Path Finder

I got a transaction working to split out into 5 transaction statements for the 5 times jboss restarted and I can see the requestids in chunks.. is there a way to break those out?

0 Karma

htkhtk
Path Finder

The where does work as expected.. My main problem is getting a listing of all request ids with the message size (I am able to get one using the query above) I am trying the transaction approach to group everytime jboss was started but I don't think it is going to work for me

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...