topic Re: Give complete log output on search in Splunk Search

Give complete log output on search

YanwuGuTelus — Sat, 04 Mar 2017 21:22:33 GMT

When I do a search, the search results only show the lines of the logs that are matching my query. Is it possible to show the entire log in the search results? For example, if I search for "FooLogs", the results will correctly show all log files that contain "FooLogs", but only show the line that contains those words. I want to know if I can show the entire contents of the log files that contain the search query.

Re: Give complete log output on search

richgalloway — Sat, 04 Mar 2017 21:57:17 GMT

You'll have to change your query to something more generic. Look at the output for the "FooLogs" search and find the index and source fields. Use them to compose a new query that will return everything in the same source as FooLogs. For example,

index=foo source=foo.log

Re: Give complete log output on search

YanwuGuTelus — Sat, 04 Mar 2017 22:06:14 GMT

Thanks, I tried this but I am now getting multiple output lines in the search results from the same log file. I want to have one result per log file that has all the content of the file.

Re: Give complete log output on search

koshyk — Sat, 04 Mar 2017 23:42:27 GMT

Have a try

index=foo source=foo.log| reverse | streamstats count(eval(searchmatch("xxxxx"))) AS xyz | reverse | stats list(_raw) AS wholeLogFile by xyz| table wholeLogFile

An example

index=_internal source="/opt/splunk/var/log/splunk/scheduler.log"| reverse | streamstats count(eval(searchmatch("xxxxx"))) AS xyz | reverse | stats list(_raw) AS wholeLogFile by xyz| table wholeLogFile

Re: Give complete log output on search

richgalloway — Sun, 05 Mar 2017 01:06:41 GMT

That wasn't clear from your question. koshyk's answer should do it.

Re: Give complete log output on search

YanwuGuTelus — Thu, 09 Mar 2017 22:04:48 GMT

It works, but the email i sent to my self started with a figure. how can i get rid of the figure at very beginning?