Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Combining Search Results (from a single Search)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Combining Search Results (from a single Search)
Hi Friends,
I'm new to SPLUNK, so might be a silly question.
I'm having a search based on an "identifier" which gives me back 3 results. Actually all of these messages were part of a single original "xml" message which got split by an intermediate system before Splunk. Hence I wanted to combine these messages back into the original xml message.
Jun 14 09:00:27 hostname1 identifier=ILOGENGINE_22 Content-Length: 2894 <?xml version="1.0" encoding="utf-8"?><soapenv:Envelope xmlns:soapenv="schemas.xmlsoap.org/soap/envelope/" ><soapenv:Header/><soapenv:Body><ws:notify><ws:request><ws:actionTypeList><ws:genericActionTypes>ABCD</ws:genericActionTypes></ws:actionTypeList><ws:deviceRequest></ws:userAgent>version=1pm_fpua=mozilla/4.0 compatible msie 8.0 windows nt 5.1 trident/4.0 .net clr 1.1.4322 .net clr 2.0.50727...
Jun 14 09:00:27 hostname1 identifier=ILOGENGINE_22 Content-Length: 2894 ..1,4322)</ws:userAgent></ws:deviceRequest><ws:identificationData><ws:userLoginName>abc@gmail.com</ws:userLoginName><ws:userName>testUser</ws:userName><ws:pass>testPass</ws:pass><ws:phoneNumber>XXXXXXXX</ws:phoneNumber><ws:tex...
Jun 14 09:00:27 hostname1 identifier=ILOGENGINE_22 Content-Length: 2894 ...t>some Text message</ws:text></ws:request></ws:notify></soapenv:Body></soapenv:Envelope>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you can decide which field indicates they all belong together such as that identifier field then look at the transaction command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you can ensure the xml portion is going into a field for each event you might could use the eval command to make a new field and combine them back together. This is something that will take experimentation and time. No easy one command answer I am afraid.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I used "identifier=ILOGENGINE_22" to identify the rows. This is not part of the XML as such but row-meta information. But now I want to combine the xml part of these messages.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you see its not pure XML, but combination of headers and XML. Once combined, I can then remove the unwanted elements.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
