Say I have the following log, where I have separate input and output parts, however, they are processed as batch in between:
input id=1 input_id=1
input id=2 input_id=2
input id=3 input_id=3
process id=4 input_ids=1,2,3
output id=5 input_id=1
output id=6 input_id=2
output id=7 input_id=3
I'd like to be able to trace the above in one transaction, such that when I search for input_id=1, I get this:
input id=1 input_id=1
process id=4 input_ids=1,2,3
output id=5 input_id=1
Is that possible (including modifying the log to fit Splunk searches)? I'd like to avoid spreading the logging, i.e. doing something like this:
input id=1 input_id=1
input id=2 input_id=2
input id=3 input_id=3
process id=4 input_id=1
process id=4 input_id=2
process id=4 input_id=3
output id=5 input_id=1
output id=6 input_id=2
output id=7 input_id=3
as there are many lines here that will make the log unreadable for human consumption if needed, outside of Splunk. This also could be useful for non-Splunk scripts that can depend on all to be on one line.
Another thing, batches are not demarcated, they are time-based. Think of the "process" part being something that's executed every 15 seconds or so. In that time frame, the number of input lines can be 1 or 1000. Outputs also, they depend on what process spits out.
Processing is also not ordered. 1000 inputs can arrive, it can pick 1 and 1000 in the next batch, then 2-999 in the following batch, as an example, due to priorities or other specifications by the user who pushed the inputs. The only way to know what was picked up in a batch is to look at input_ids.
I'm fine changing the format of individual lines. If I should go ahead and change:
process id=4 input_ids=1,2,3
to this:
process id=4 input_ids=1_2_3
that is doable, keeps the same information.
... View more