topic Re: select query based on unique id in Splunk Search

select query based on unique id

anshumishra — Wed, 19 Oct 2011 15:02:27 GMT

Hi,
I have a log where the, app logs the various steps for a unique opertaion id (id below) ->
......
ts=1318861839975,name=stepOne,type=typeOne,id=a30a2286-1318861839810
ts=1318861845825,name=stepTwo,type=typeOne,id=a30a2286-1318861839810
......

It is possible that the stepTwo is not logged in case of some failure or there may be more failure steps (say stepThree), which we want to discard.
How can I do a select query, so that only the entries(id) which have both the steps (stepOne and stepTwo) logged, are displayed ?

Re: select query based on unique id

Ayn — Wed, 19 Oct 2011 16:24:26 GMT

Use transaction to combine events with the same id, then search for transactions that have both the values "stepOne" and "stepTwo" in the name field.

... | transaction id | search name="stepOne" AND name="stepTwo"

Re: select query based on unique id

anshumishra — Wed, 19 Oct 2011 17:13:43 GMT

Thanks Ayn !
That is what I wanted.I am new to this stuff, so I'll probably be asking some simple stuffs (after searching through the forum ofcourse), till I get hold of it.

Re: select query based on unique id

Ayn — Wed, 19 Oct 2011 19:43:32 GMT

Awesome! Could you please mark my answer as accepted? That way it will be shown clearly on the site that you got the help you needed for this question. Thanks!