Hello,
I would like to combine 2 events into one based on the content of the first one.
So every time I find an event containing the word "Banana" I wanna combine it with the line that follows regardless of what the following line is.
Could you please help out?
Thank you.
David
You could try the transaction command. Something like this could work.
index=* | transaction startswith="banana" maxevents=2
Having said this, keep in mind the sort order in splunk may not be the same as what you are thinking. So what you think as the "next" event may not be what splunk considers to be the "next" event.
You should try to avoid using transaction
whenever you can. Try this instead (faster and more robust):
... "banana" OR "the keyword in the next event" | reverse | streamstats count(eval(searchmatch("banana"))) AS SessionID | reverse | stats list(_raw) AS events by SessionID
I'm getting 0 results with that search. I agree with you that transactions are slow and yes I think a better method would be to try to avoid it. How exactly does the Reverse command works ?
We need reverse
so that as we work backwards through the list from top-to-bottom, we process the oldest events first, meaning that whenever we see a banana
event, it marks the beginning of a new "session".
I made a mistake in that I used stats
instead of streamstats
. I have correct this in my original answer; try again.
its still not working for some reason... apparently SessionID is always empty...
ARGH! I blew it again! I used count(searchmatch("banana"))
instead of count(eval(searchmatch("banana")))
. I have updated my answer again. If you care to retry, I am sure it will work this time!
Try this
... "banana" OR "the keyword in the next event" | reverse | eval x=if(searchmatch("banana"), 1, 0) | streamstats sum(x) AS SessionID | reverse | stats list(_raw) AS events by SessionID
You could try the transaction command. Something like this could work.
index=* | transaction startswith="banana" maxevents=2
Having said this, keep in mind the sort order in splunk may not be the same as what you are thinking. So what you think as the "next" event may not be what splunk considers to be the "next" event.
I think that should work. I did it with |transaction _time startswith="banana" endwith="the keyword in the next even"
since the "Next" event was in chronological order worked fine for me ^^
Hello. You can do it through configuration files (props.conf and transforms.conf). Read this:
http://docs.splunk.com/Documentation/Splunk/6.3.1511/Data/Configureeventlinebreaking
Thanks
Can you put some sample data here? The closer to your original data the better