Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

search across multiple events and present it in report

runiyal
Path Finder
‎03-14-2016 10:36 AM

Hello,

I have a logfile with events -

2016-03-14 12:44:44,105 INFO [catalina-exec-5] Initiate UploadProcess
---Multiple Lines---
2016-03-14 12:44:45,147 [catalina-exec-5] Uploading file to system from stream.
---Multiple Lines---
2016-03-14 12:44:55,246 [catalina-exec-5] File already exists in the location
---Multiple Lines---
Caused by: org.springframework.dao.DuplicateKeyException:

I need to create a report that Looks at "UploadProcess" from the First event and then either "File already exists in the location" OR "DuplicateKeyException" from other events.

How to search across multiple events and present it in report

Thanks!

Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-14-2016 11:24 AM

Assuming "File already exists in the location" and "DuplicateKeyException" are both present in the same set of events, the transaction command should do the job for you.

your search | transaction startswith="Initiate UploadProcess" endswith="File already exists in the location" | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

runiyal
Path Finder
‎03-15-2016 07:18 AM

Hello Rich,

This query is working -

your search | transaction startswith="Initiate UploadProcess" endswith="File already exists in the location" | timechart count by day

Problem is it's very slow. How can we tune this query.

Thanks!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-15-2016 09:36 AM

How slow is "very slow"? If you're searching a large amount of data then you should expect it to be slow.
An entire course could be taught on tuning queries (not by me)but here are some tips. Try to make your base search as specific as possible so unneeded events are ignored. Avoid "all time" and "index=*" searches. Click on "Inspect Job" after your search completes to see where it is spending the most time.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-14-2016 11:03 AM

Is there any identifier linking the event Caused by: org.springframework.dao.DuplicateKeyException: to the event 2016-03-14 12:44:44,105 INFO [catalina-exec-5] Initiate UploadProcess?

Obligatory: https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo...

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...