I am evaluating Splunk for use in monitoring application logs and am wondering if it is possible to group together lines like the following relating the numbers in bold to each other and text in bold to each other.
[29/Apr/2010:00:01:18][8456.-243491648][-conn2-] Notice: db_scoped_select_query: 3 976122186 0 0 53.14 select items-list-main-count_advanced 0.081 0.002 version_list_criteria 1
[29/Apr/2010:00:01:18][8456.-243491648][-conn2-] Notice: Time-log, 2, 976122186, 0, 0, 53.14, /items/list-main, role_employee_rw_no_version_buyer, employee, 0.05, 0.25, 0.07, 0.23, 0.61, 19789, 66, items-list-main-count_advanced, select, 0.08, 623094, 433285
If they are in the same log file - are they both comma separated or does only the 2nd event have its fields separated by commas? I ask because if all values in the log file are separated by commas it may be even easier to do your field extractions. I strongly encourage field extractions first so you'll be setup for future successes.
If you're only trying to show the grouping is possible, even before you learn about the field extractions, you could do this
976122186 items-list-main-count_advanced | eval glue="fragileSolution" | transaction glue
...with the understanding that it is a fragile solution.
If they are in the same log file - are they both comma separated or does only the 2nd event have its fields separated by commas? I ask because if all values in the log file are separated by commas it may be even easier to do your field extractions. I strongly encourage field extractions first so you'll be setup for future successes.
If you're only trying to show the grouping is possible, even before you learn about the field extractions, you could do this
976122186 items-list-main-count_advanced | eval glue="fragileSolution" | transaction glue
...with the understanding that it is a fragile solution.
I will plan to pursue field extractions. Thanks for your help
Is there any reason why you're not extracting the bold values as fields?
If you havent already, read through this section about fields and subsequent sections about search-time field extractions. http://www.splunk.com/base/Documentation/latest/Knowledge/Aboutfields
Once those values are correctly extracted, everything becomes a lot easier. For instance if the 976122186 value is extracted as a field called session_id
this boils down to just:
<your search> | transaction your_extracted_id_field
I am planning to pursue field extractions. Thanks for the link.