- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do I merge events on the basis of time and...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I merge events on the basis of time and fields?
I want to merge events that are in between state=" STARTED" and state="COMPLETED" i.e. All the following events of state="STARTED" and preceding to state="COMPLETED" will merge into a single event.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey
Do you have any field that may connect those events? Like an ID?
Then you could use transaction command with these parameters
endswith
Syntax: endswith=<filter-string>
Description: A search or eval expression which, if satisfied by an event, marks the end of a transaction.
startswith
Syntax: startswith=<filter-string>
Description: A search or eval filtering expression which if satisfied by an event marks the beginning of a new transaction.
https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Transaction
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No Nothing to match.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well and to you have events starting in between the others?
I mean:
event A started at X and ended at Y
event B starter at X+5 and ended at Y+3
Do you also have those scenarios?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is the start time for each event, not the end time. And also not necessary that the event B start at X+5 .
So, In my case eventA gives me the log that Request1 started for user1
eventB gives me that Request2 has completed in time(* sec) for user2
And If there is any Error then another EventC is created in between A and B with Error log.
Now, I just want table "Error log" User.
Is this possible??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't see that possible if you don't have an element to trace the events back.
Can you show us a piece of your log with the events you mentioned?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's the code :
2018-02-09 18:10:25,542 INFO [qtp1687849576-8861]: "class name1" - [#0000e4ca] "Request1" from "ip_address1" ("email_id1") STARTED
2018-03-09 18:10:26,610 ERROR [qtp1687849576-12683]: "class name2" - Cannot retrieve. No UserLoginHistory information is stored.
2018-02-09 18:10:28,760 INFO [qtp1687849576-8861]: "class name1" - [#0000e4ca] "Request1" from "ip_address1"("email_id1") COMPLETED in 0.217s
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you extract this "qtp1687849576" into field say abc and then
Can you try :
| transaction abc startswith="STARTED" endswith="COMPLETED"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @p_gurav
But can't rely on this "qtp..." thing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there any other common field present in logs?
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
