- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Trying to create a complicated query with no luck
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Trying to create a complicated query with no luck
Hi,
I'm trying to create a complicated query but can't find how.
Scenario: each log from the server contains a session ID I can use in my searches so I can gather all the same session logs into one transaction. I run a query that will result with batches of logs, each batch with a different session ID.
Now, I want to remove the batches that one of the log lines in them contains some string. By this will remain only the "good" sessions that succeeded and not the ones that failed.
Any idea?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would rather use stats to group events then transaction if you don't have complicated grouping conditions which can only be achieved by transaction command. If you just want to group based on a field called sessionID then you can try something like this to achieve what you want here.
If the "String for failed transaction" can be extracted as field, then try this
your base search | rex "Regex to extract fail transaction string, say giving field type with value fail" | stats list(_raw) as _raw min(_time) as _time max(_time) as end values(type) as type by sessionID | where isnull(type) | eval duration=end-_time
If it can't be extracted as field, try this
your base search | stats list(_raw) as _raw min(_time) as _time max(_time) as end values(type) as type by sessionID | where NOT searchmatch("String for failed transaction") | eval duration=end-_time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For example:
[2016-03-11 03:37:14,190] *!* [thread=http-exec-31] *!* [level=INFO ] *!* [web_session_id=webs_6PfJX-HexeqImBTKw0HFdHPO2KcxTi4K8131_HUksHY] *!* body=[Message is sent] environment=production
[2016-03-11 03:37:21,818] *!* [thread=http-exec-11] *!* [level=INFO ] *!* [web_session_id=webs_6PfJX-HexeqImBTKw0HFdHPO2KcxTi4K8131_HUksHY] *!* body=[Data for flow GetFormRequestHandler inited] environment=production
[2016-03-11 03:37:14,190] *!* [thread=http-exec-31] *!* [level=INFO ] *!* [web_session_id=webs_cPffz7DVqzGMhAIbE76snGmSCvuQi] *!* body=[Message is sent] environment=production
[2016-03-11 03:37:14,190] *!* [thread=http-exec-31] *!* [level=INFO ] *!* [web_session_id=webs_cPffz7DVqzGMhAIbE76snGmSCvuQi] *!* body=[This is a session I don't want] environment=production
[2016-03-11 03:37:21,818] *!* [thread=http-exec-11] *!* [level=INFO ] *!* [web_session_id=webs_cPffz7DVqzGMhAIbE76snGmSCvuQi] *!* body=[Data for flow GetFormRequestHandler inited] environment=production
As you can see I have two batches of logs. The first two logs with the same web_session_id and the last 3 with a different session.
Now, in the second batch I have a message in the body stating that I don't want this session. My desire is to dismiss those last 3 logs from my search and leave only the first two by using this body=[This is a session I don't want] in the log. So, at the end I will have something like this:
[2016-03-11 03:37:14,190] *!* [thread=http-exec-31] *!* [level=INFO ] *!* [web_session_id=webs_6PfJX-HexeqImBTKw0HFdHPO2KcxTi4K8131_HUksHY] *!* body=[Message is sent] environment=production
[2016-03-11 03:37:21,818] *!* [thread=http-exec-11] *!* [level=INFO ] *!* [web_session_id=webs_6PfJX-HexeqImBTKw0HFdHPO2KcxTi4K8131_HUksHY] *!* body=[Data for flow GetFormRequestHandler inited] environment=production
Than After I use "transaction" on the session I will get:
[2016-03-11 03:37:14,190] *!* [thread=http-exec-31] *!* [level=INFO ] *!* [web_session_id=webs_6PfJX-HexeqImBTKw0HFdHPO2KcxTi4K8131_HUksHY] *!* body=[Message is sent] environment=production
[2016-03-11 03:37:21,818] *!* [thread=http-exec-11] *!* [level=INFO ] *!* [web_session_id=webs_6PfJX-HexeqImBTKw0HFdHPO2KcxTi4K8131_HUksHY] *!* body=[Data for flow GetFormRequestHandler inited] environment=production
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
why don't you do the filtering before building the transactions?
could you provide a sample of the events so we can provide further help?
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
New in Observability Cloud - Explicit Bucket Histograms
