Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Combining Search Results (from a single Search)

koshyk
Super Champion
‎06-21-2013 06:21 AM

Hi Friends,
I'm new to SPLUNK, so might be a silly question.

I'm having a search based on an "identifier" which gives me back 3 results. Actually all of these messages were part of a single original "xml" message which got split by an intermediate system before Splunk. Hence I wanted to combine these messages back into the original xml message.

Jun 14 09:00:27 hostname1 identifier=ILOGENGINE_22 Content-Length: 2894 <?xml version="1.0" encoding="utf-8"?><soapenv:Envelope xmlns:soapenv="schemas.xmlsoap.org/soap/envelope/" ><soapenv:Header/><soapenv:Body><ws:notify><ws:request><ws:actionTypeList><ws:genericActionTypes>ABCD</ws:genericActionTypes></ws:actionTypeList><ws:deviceRequest></ws:userAgent>version=1pm_fpua=mozilla/4.0 compatible msie 8.0 windows nt 5.1 trident/4.0 .net clr 1.1.4322 .net clr 2.0.50727...

Jun 14 09:00:27 hostname1 identifier=ILOGENGINE_22 Content-Length: 2894 ..1,4322)</ws:userAgent></ws:deviceRequest><ws:identificationData><ws:userLoginName>abc@gmail.com</ws:userLoginName><ws:userName>testUser</ws:userName><ws:pass>testPass</ws:pass><ws:phoneNumber>XXXXXXXX</ws:phoneNumber><ws:tex...

Jun 14 09:00:27 hostname1 identifier=ILOGENGINE_22 Content-Length: 2894 ...t>some Text message</ws:text></ws:request></ws:notify></soapenv:Body></soapenv:Envelope>
Tags (3)
0 Karma
Reply

starcher
Influencer
‎06-21-2013 06:55 AM

If you can decide which field indicates they all belong together such as that identifier field then look at the transaction command.

0 Karma
Reply

starcher
Influencer
‎06-21-2013 07:30 AM

If you can ensure the xml portion is going into a field for each event you might could use the eval command to make a new field and combine them back together. This is something that will take experimentation and time. No easy one command answer I am afraid.

0 Karma
Reply

koshyk
Super Champion
‎06-21-2013 07:16 AM

I used "identifier=ILOGENGINE_22" to identify the rows. This is not part of the XML as such but row-meta information. But now I want to combine the xml part of these messages.

0 Karma
Reply

koshyk
Super Champion
‎06-21-2013 06:24 AM

If you see its not pure XML, but combination of headers and XML. Once combined, I can then remove the unwanted elements.

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...