relating fields in multiple log format

irfy — Sun, 06 Jul 2014 08:32:29 GMT

I have the following three different types of logs coming into a single source-type

<189>Jul 06 15:38:54|100.888.94.888|sport=64920|sid=11635419210657705766|XX.XX.XX.XX|80|rt=9

<190>Jul 06 15:38:54|10.39.192.90|100.888.94.888|sport=64920|sid=11635419210657705766|Mozilla/5.0 (Windows NT 5.1; rv:30.0) Gecko/20100101 Firefox/30.0||SWEBS=1&SWECmd=InvokeMethod&SWEService=Message+Bar&SWEMethod=UpdatePrefMsg&SWEIPS=%400%600%601%600%60%603%60%60SWEBS%601%60&SWERPC=1&SRN=clPdw5go7eScsXlZ5zpUAlw4LuUxc1dUg1JRlUYnw8gb&SWEC=30&SWETS=1404625134263

<132>Jul 6 15:38:54 lbs241-mgt.com.au ASM:2014-07-06 15:38:54|THISISUSERNAME|ssid=c93ffac13b7f4368|sport=64920|sid=11635419210657705766|100.888.94.888|10.39.192.90|POST|/ppopenui/start.swe<SWECmd=InvokeMethod>|200|alerted

a) How do i relate using the "sid" :- for example for SWEService="Message*" the response time is in the line starting with "<189>" in the field "rt=" and the User who invoked this is in the line starting with "<132>" where i have put "THISISUSERNAME"(note there is no field name for username.)

Note:- All the three lines have constant formatting i.e. its a pipe delimited log file with specific values in each fields.
Also "<180>" , "<190>","<132>" are constant values that distinguishes the three type of logs.

What i am trying to do is to find the Avg response time(i.e. rt) plus another report of which user has viewed with SWEService

Appreciate help.
REgards Irfan

Re: relating fields in multiple log format

martin_mueller — Sun, 06 Jul 2014 13:16:38 GMT

You'll want to combine those events into a transaction:

sourcetype=whatever and other filters for your events | transaction sid maxspan=1s | timechart avg(rt) by SWEService

Similarly you can run other reports, such as | timechart values(user) by SWEService. I've assumed all events for one transaction happen at roughly the same time with maxspan=1s, that may or may not be correct for your case - adjust the span as required, or look at the other settings at http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Transaction

That's assuming you already have the relevant fields extracted. rt, sid, and SWEService should be auto-extracted, you'd probably need a regular expression for the user, e.g. ^\<132\>[^|]+\|(?<user>[^|]+).

topic Re: relating fields in multiple log format in Splunk Search

relating fields in multiple log format

Re: relating fields in multiple log format