topic How to get subset of lines from log in Splunk Search

How to get subset of lines from log

Splunklearning2 — Fri, 29 Apr 2022 05:46:17 GMT

Hi,

We have requirement where we have to get the start till end log of one process and when we get the log we can see the logs of other process as well which is running in parallel. So we want to get the lines of only the process which we have to work on. The process number changes at every run.

Sample Log:

2022-02-14 02:30:00,046 [Worker-3] DEBUG User job started
2022-02-14 02:30:00,063 [Worker-3] DEBUG Calling importData
2022-02-14 02:30:00,063 [Worker-3] DEBUG Initializing External DB connection
2022-02-14 02:30:00,065 [Worker-2] DEBUG another process started
2022-02-14 02:30:00,067 [Worker-3] DEBUG url before binding
2022-02-14 02:30:00,082 [Worker-2] DEBUG ExistingAccount
2022-02-14 02:30:00,083 [Worker-2] DEBUG query is array
2022-02-14 02:30:00,097 [Worker-2] DEBUG Done.... assigning access for account
2022-02-14 02:30:00,524 [Worker-2] DEBUG closing connection
2022-02-14 02:30:00,547 [Worker-2] Task Complete
2022-02-14 02:30:00,560 [Worker-3] DEBUG inside finally...
2022-02-14 02:30:00,567 [Worker-3] DEBUG sending Notification Email
2022-02-14 02:30:00,567 [Worker-3] DEBUG User job ended

we have used below search to get above log :

index=test sourcetype=debugLog | transaction startswith="User job started" endswith="User job ended"

we want the output as below. So how we can add extra logic to above search to get below output?

Re: How to get subset of lines from log

PickleRick — Fri, 29 Apr 2022 05:52:07 GMT

If I understand correctly, in your example you would want to have only the lines from Worker-3 without the lines from Worker-2, right?

You need to extract this field and use it in your transaction command to distinguish separate worker runs.

Re: How to get subset of lines from log

Splunklearning2 — Fri, 29 Apr 2022 05:54:07 GMT

Yes your understanding is correct. but the process number will be different everytime. Any sample command will be very helpful.

Re: How to get subset of lines from log

PickleRick — Fri, 29 Apr 2022 06:33:58 GMT

Ideally, parsing and field extraction should have been done as part of data onboarding so you should have the field "ready to use". But let's assume it hadn't been done.

So you have to parse the field from the event on your own. Assuming that the process name is always "worker-X", you can use

index=test sourcetype=debugLog
| rex "\[worker-(?<workerID>\d+)\]"
transaction workerID startswith="User job started" endswith="User job ended"

You can, alternatively, parse out anything that's between the brackets and use that value. Like

index=test sourcetype=debugLog
| rex "\[(?<ProcessID+)\]"
transaction ProcessID startswith="User job started" endswith="User job ended"

Re: How to get subset of lines from log

Splunklearning2 — Fri, 29 Apr 2022 07:32:18 GMT

I tried both the command but didn't worked.

index=test sourcetype=debugLog
| rex "\[worker-(?<workerID>\d+)\]"
transaction workerID startswith="User job started" endswith="User job ended"

in this I have to add | before transaction else it was failing. When I added | and ran the command it's giving 0 event. Can you explain what this command will do?

Other command is failing with REX error.

Re: How to get subset of lines from log

PickleRick — Fri, 29 Apr 2022 12:47:27 GMT

OK. I missed the pipe sign before the second line.

index=test sourcetype=debugLog
| rex "\[Worker-(?<workerID>\d+)\]"
| transaction workerID startswith="User job started" endswith="User job ended"