I have some logs being indexed that contain the output from another program, and Splunk indexes like this:
commandOuput= /some/random/command blah blah blah
line1 output from the command
line2 output from the command
lineXX output from the command
I want to capture and concatenate all text between the first event, and the last event (Z). I've tried using
transaction and matched the start with
startswith and end with
endswith, but that only seems to keep the start and end event, not the events inbetween.
Is there an easier way of just extracting the raw data between two events?
try something like this:
your base search | rex field=_raw "Event\s1\:(?<myNewField).*)Event\sZ\:" | table myNewField
this will get everything between
Event 1: and
hope this helps ...
take this run everywhere search and you will see that using
_indextime works fine:
index=_internal source=*access.log | transaction clientip _indextime maxspan=5min
by using it with startswith and endswith you should be able to get what you want
We don't have control over the "command output" that gets logged, so no way to tag it for consideration in the transaction - that's why I originally had trouble, I could match the start and end transaction events, but the text "in between" the events can't be correlated.
What I need is like saying "give me all the events between startswith=foo and endswith=bar regardless of whats in the events".
Sorry it is way to hot in the office to have a clear thought 😉 Now I see your problem, this pasted example is not the raw test of one event, those are different events facepalm
So keep the transaction with startswith and endswith and create or use a common field for all the other events you need. Add this field to the transaction command like this:
transaction startswith="commandOuput=" endswith="commandExitcode=0" thenewfield
newfield cound be for example a regex for
hope this makes sense now