topic Re: Need help with Splunk Query in Splunk Enterprise

Need help with Splunk Query

nilbak1 — Fri, 21 Aug 2020 16:24:09 GMT

Hello Splunkers,

I need help with below scenario:

I need to form query from xml log in below format.

TransactionID LineNumber Fulfiller
123 1 abc
124 1 xyz
125 1 def
2 xyz
126 1 abc
2 def
3 xyz

So, here in my xml logs sometime i am having only one LineNumber mentioned and correspondingly fulfiller.
However, in some log events i am having multiple LineNumbers with corresponding fulfillers for same transactionid.

I have used regex to extract transactionid, LineNumber and fullfiller name.

I want result in above format.
Hope I am able to explain my scenario.

Re: Need help with Splunk Query

nilbak1 — Fri, 21 Aug 2020 16:35:28 GMT

After using max_match in regex and running below query

my Query | stats values(LineNumber) as LineNumber values(Fullfiller) by TransactionID

I am getting as below result

10000056090658 1 abc
10000063819764 1 xyz
2
10000063819784 1 abc
2 def

10000063820877 1 abc
2
Not getting fulfillers with some of the line numbers.

Re: Need help with Splunk Query

Nisha18789 — Fri, 21 Aug 2020 21:50:09 GMT

hi @nilbak1 , can you share the regex you are using ? Or the log?

Re: Need help with Splunk Query

thambisetty — Sat, 22 Aug 2020 12:36:35 GMT

Try below,

my Query | stats list(LineNumber) as LineNumber list(Fullfiller) by TransactionID

values function displays only distinct values.

where as list displays linenumber and its fulfiller by transactionID

Re: Need help with Splunk Query

nilbak1 — Sun, 23 Aug 2020 06:06:07 GMT

Thanks @thambisetty

Yes, I used list function and it worked, got the results as required.

Anyways thanks for your reply.

Re: Need help with Splunk Query

thambisetty — Sun, 23 Aug 2020 06:30:00 GMT

Happy I solved your problem. Please like answer.