Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I group log entries together when fields are not clearly delineated?

swerner
Explorer
‎05-07-2010 10:56 PM

I am evaluating Splunk for use in monitoring application logs and am wondering if it is possible to group together lines like the following relating the numbers in bold to each other and text in bold to each other.

[29/Apr/2010:00:01:18][8456.-243491648][-conn2-] Notice: db_scoped_select_query: 3 976122186 0 0 53.14 select items-list-main-count_advanced 0.081 0.002 version_list_criteria 1

[29/Apr/2010:00:01:18][8456.-243491648][-conn2-] Notice: Time-log, 2, 976122186, 0, 0, 53.14, /items/list-main, role_employee_rw_no_version_buyer, employee, 0.05, 0.25, 0.07, 0.23, 0.61, 19789, 66, items-list-main-count_advanced, select, 0.08, 623094, 433285

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎05-11-2010 04:46 AM

If they are in the same log file - are they both comma separated or does only the 2nd event have its fields separated by commas? I ask because if all values in the log file are separated by commas it may be even easier to do your field extractions. I strongly encourage field extractions first so you'll be setup for future successes.

If you're only trying to show the grouping is possible, even before you learn about the field extractions, you could do this

976122186 items-list-main-count_advanced | eval glue="fragileSolution" | transaction glue

...with the understanding that it is a fragile solution.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎05-11-2010 04:46 AM

If they are in the same log file - are they both comma separated or does only the 2nd event have its fields separated by commas? I ask because if all values in the log file are separated by commas it may be even easier to do your field extractions. I strongly encourage field extractions first so you'll be setup for future successes.

If you're only trying to show the grouping is possible, even before you learn about the field extractions, you could do this

976122186 items-list-main-count_advanced | eval glue="fragileSolution" | transaction glue

...with the understanding that it is a fragile solution.

0 Karma
Reply
Solved! Jump to solution

swerner
Explorer
‎05-11-2010 08:52 PM

I will plan to pursue field extractions. Thanks for your help

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎05-08-2010 07:44 PM

Is there any reason why you're not extracting the bold values as fields?

If you havent already, read through this section about fields and subsequent sections about search-time field extractions. http://www.splunk.com/base/Documentation/latest/Knowledge/Aboutfields

Once those values are correctly extracted, everything becomes a lot easier. For instance if the 976122186 value is extracted as a field called session_id this boils down to just: 

<your search> | transaction your_extracted_id_field
Reply
Solved! Jump to solution

swerner
Explorer
‎05-11-2010 08:51 PM

I am planning to pursue field extractions. Thanks for the link.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...