Building for the Splunk Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

query to extract events with distict ids

wye054
New Member
‎01-14-2014 03:50 AM

Hi

i am trying to get all the request messages that passed through our application for a particular time frame . when i am searching using
sourcetype="*Leg .log" tid | eval status = if(error == 200, "OK", "Error")

getting below events with repeatition of transaction ids . How to get distict tid instead of repeating tids ....
please help me on this , i am a newbea to this ...
Time Event 1 1/13/14
11:20:54.000 PM
Mon Jan 13 2014 23:20:54 tid(7677232): certificate validation succeeded
date_month = january host = dev source = /opt/store/off_device_logging/Leg.log.
sourcetype = Leg .log
2 1/13/14
11:20:31.000 PM
Mon Jan 13 2014 23:20:31 tid(34223): Updating existing wsdl
date_month = january host = dev
source = /opt/store/off_device_logging/Leg .log sourcetype = Leg .log
3 1/13/14
11:20:31.000 PM
Mon Jan 13 2014 23:20 : tid(34223😞 wsdl Compilation Request
date_month = january host = dev source = /opt/store/off_device_logging/Leg .log
sourcetype = Leg .log
4 1/13/14
11:20:31.000 PM
Mon Jan 13 2014 23:20:31 : tid(8006898): HTTP response code 200
date_month = january host = dev source = /opt/store/off_device_logging/Leg .log
sourcetype = Leg .log
5 1/13/14
11:20:31.000 PM
Mon Jan 13 2014 23:20:31 tid(8006898): certificate validation succeeded
date_month = january host = dev
source = /opt/store/off_device_logging/Leg .log sourcetype = Leg .log

Tags (1)
0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎01-14-2014 04:26 AM

If the field tid or transactionId is already extracted use following

sourcetype="*Leg .log" tid | eval status = if(error == 200, "OK", "Error") | dedup tid

If the tid field is not extracted, use following

sourcetype="*Leg .log" tid | eval status = if(error == 200, "OK", "Error") | rex "\((?<tid>.*)\)" | dedup tid

you can save the regex to make it search time field extraction.

0 Karma
Reply

linu1988
Champion
‎01-14-2014 04:25 AM

Hello,
I would assume all the events are different, so we can have the tid's first then you can have your calculations

sourcetype="*Leg  .log" tid |rex field=_raw "\stid\((?<TID>\d+)"|dedup TID|eval status = if(error == 200, "OK", "Error")

Give it a try. Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...