topic Re: Help joining multi row search in Splunk Search

Help joining multi row search

kimberlytrayson — Wed, 01 Apr 2020 16:08:24 GMT

Hi everyone,
I am new to Splunk and still learning.

Can someone please help me on the below query?

My log file:

2020-03-30 12:21:45,075 INFO com.www.yyy.MyClass[ - ] - screen changing to [Select]
2020-03-30 12:25:31,574 DEBUG com.www.yyy.Manager[ - ] - Service- checking
2020-03-30 12:25:31,574 DEBUG com.www.yyy.Manager[ - ] - Service- found
2020-03-30 12:25:31,663 DEBUG com.www.yyy.Manager[ - ] - All Service took 89 milliseconds

my requirement:

I want to get the screen name and service took time.
in the above example I need like this: "Select" screen services took 89 milliseconds

Please help me to get the query. I would really appreciate it! Thank you!

Re: Help joining multi row search

manjunathmeti — Thu, 02 Apr 2020 05:57:49 GMT

All these logs should contain a common values to join them together. Assuming [ - ] is the common value in all these logs you can try this:

| rex "\[(?<common_value>[\w\W]+)\]\s\-\sscreen\schanging\sto\s\[(?<service>\w+)\]" 
| rex "\[(?<common_value>[\w\W]+)\]\s-\sAll\sService\stook\s(?<duration>\d+\smilliseconds)" 
| stats latest(service) as service, latest(duration) as duration by common_value 
| eval output="\"".service."\" screen services took".duration." milliseconds"

Sample query:

| makeresults 
| eval _raw="_raw
2020-03-30 12:21:45,075 INFO com.www.yyy.MyClass[ - ] - screen changing to [Select]
2020-03-30 12:25:31,574 DEBUG com.www.yyy.Manager[ - ] - Service- checking
2020-03-30 12:25:31,574 DEBUG com.www.yyy.Manager[ - ] - Service- found
2020-03-30 12:25:31,663 DEBUG com.www.yyy.Manager[ - ] - All Service took 89 milliseconds" 
| multikv forceheader=1 
| fields _raw 
| rex "\[(?<common_value>[\w\W]+)\]\s\-\sscreen\schanging\sto\s\[(?<service>\w+)\]" 
| rex "\[(?<common_value>[\w\W]+)\]\s-\sAll\sService\stook\s(?<duration>\d+\smilliseconds)" 
| stats latest(service) as service, latest(duration) as duration by common_value 
| eval output="\"".service."\" screen services took".duration." milliseconds"

Re: Help joining multi row search

to4kawa — Thu, 02 Apr 2020 07:45:46 GMT

| makeresults
| eval _raw="test
2020-03-30 12:21:45,075 INFO com.www.yyy.MyClass[ - ] - screen changing to [Select]
2020-03-30 12:25:31,574 DEBUG com.www.yyy.Manager[ - ] - Service- checking
2020-03-30 12:25:31,574 DEBUG com.www.yyy.Manager[ - ] - Service- found
2020-03-30 12:25:31,663 DEBUG com.www.yyy.Manager[ - ] - All Service took 89 milliseconds
2020-03-30 13:21:45,075 INFO com.www.yyy.MyClass[ - ] - screen changing to [Select]
2020-03-30 13:25:31,574 DEBUG com.www.yyy.Manager[ - ] - Service- checking
2020-03-30 13:25:31,574 DEBUG com.www.yyy.Manager[ - ] - Service- found
2020-03-30 13:25:31,663 DEBUG com.www.yyy.Manager[ - ] - All Service took 89 milliseconds"
| multikv forceheader=1
| fields _raw
| streamstats current=f count(eval(searchmatch("took"))) as session
| stats values(_raw) as _raw by session
| nomv _raw
| rex "(?ms)^.*\[(?<screen>\w+)\].*took (?<duration>\d+ \w+)"
| eval result="\"".screen."\" services took ".duration

I make session from screen changing to took
how about this?

Re: Help joining multi row search

to4kawa — Thu, 02 Apr 2020 07:46:19 GMT

your multikv is cool.