Knowledge Management

Find the first result of a query immediately following each search result of a different query

riksaundersonde
New Member

Hi there,
I have a stack trace that looks like this:

ERROR - ErrorCode0123
  at ...
  at ...
  at com.myorg.myproject.someclass.somefunction(some file.java:somelinenumber)

Unfortunately each line of the stack trace is showing up in splunk as a separate log event, not as one big log event. I can therefore search for the error code, but I'm having trouble using splunk searches/filters to automatically pull out the details of the class/method which is the source of the problem.

What I'd like to do is to run a search for ErrorCode0123, and then run a second search for the first instance of com.myorg.myproject following each search result.

Is there a way to do this?

Tags (1)
0 Karma

adonio
Ultra Champion

@riksaundersondeloitte
You have 2 interesting answers here, did you try them?
did you figure out a solution?
if not, please elaborate so we can better assist

0 Karma

riksaundersonde
New Member

@adonio - I attempted both solutions. Unfortunately neither one quite worked for me:
I wasn't able to use the transaction command as the log lines don't have any kind of UID to group them together.
I did attempt to use the localize/map search combination, but it seems to pick up quite a lot of secondary log events that don't match with the first one (i.e. lines from unrelated stack traces).

0 Karma

DavidHourani
Super Champion

You can specify the number of lines or an ending keyword for the transaction and it will fetch everything in between. Something like | transaction JSESSIONID clientip startswith="view" endswith="purchase" from here https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Transaction. You can cheat and use the sourcetype as a common field.

0 Karma

jodyfsu
Path Finder

I think you can do the original search and then do a localize to search again with the new criteria:

index=? "ErrorCode0123"
| localize timebefore=3s timeafter=3s
| map search="search sourcetype="?" source="?" starttimeu=$starttime$ endtimeu=$endtime$"

0 Karma

DavidHourani
Super Champion

Did you try using props/transforms to make sure all the lines are in a single event ? This would make your life way easier.

You could also go for the transaction command, defining the first and last event you want to have and group them together. Its ressource intensive but it will do the trick if u cant group the events into one. See the reference here :
https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Transaction

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...