Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Combining Search Results (from a single Search)

koshyk
Super Champion
‎06-21-2013 06:21 AM

Hi Friends,
I'm new to SPLUNK, so might be a silly question.

I'm having a search based on an "identifier" which gives me back 3 results. Actually all of these messages were part of a single original "xml" message which got split by an intermediate system before Splunk. Hence I wanted to combine these messages back into the original xml message.

Jun 14 09:00:27 hostname1 identifier=ILOGENGINE_22 Content-Length: 2894 <?xml version="1.0" encoding="utf-8"?><soapenv:Envelope xmlns:soapenv="schemas.xmlsoap.org/soap/envelope/" ><soapenv:Header/><soapenv:Body><ws:notify><ws:request><ws:actionTypeList><ws:genericActionTypes>ABCD</ws:genericActionTypes></ws:actionTypeList><ws:deviceRequest></ws:userAgent>version=1pm_fpua=mozilla/4.0 compatible msie 8.0 windows nt 5.1 trident/4.0 .net clr 1.1.4322 .net clr 2.0.50727...

Jun 14 09:00:27 hostname1 identifier=ILOGENGINE_22 Content-Length: 2894 ..1,4322)</ws:userAgent></ws:deviceRequest><ws:identificationData><ws:userLoginName>abc@gmail.com</ws:userLoginName><ws:userName>testUser</ws:userName><ws:pass>testPass</ws:pass><ws:phoneNumber>XXXXXXXX</ws:phoneNumber><ws:tex...

Jun 14 09:00:27 hostname1 identifier=ILOGENGINE_22 Content-Length: 2894 ...t>some Text message</ws:text></ws:request></ws:notify></soapenv:Body></soapenv:Envelope>
Tags (3)
0 Karma
Reply

starcher
Influencer
‎06-21-2013 06:55 AM

If you can decide which field indicates they all belong together such as that identifier field then look at the transaction command.

0 Karma
Reply

starcher
Influencer
‎06-21-2013 07:30 AM

If you can ensure the xml portion is going into a field for each event you might could use the eval command to make a new field and combine them back together. This is something that will take experimentation and time. No easy one command answer I am afraid.

0 Karma
Reply

koshyk
Super Champion
‎06-21-2013 07:16 AM

I used "identifier=ILOGENGINE_22" to identify the rows. This is not part of the XML as such but row-meta information. But now I want to combine the xml part of these messages.

0 Karma
Reply

koshyk
Super Champion
‎06-21-2013 06:24 AM

If you see its not pure XML, but combination of headers and XML. Once combined, I can then remove the unwanted elements.

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...