Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Search & count on value from line above

fwd4
Explorer
‎06-21-2011 05:55 AM

I'm looking create a table in Splunk which shows me a top 10 list of offending 'stores' which are creating 'duplicate' entries in our logs.

I can identify these duplicate entries by our response code 'V033', so I would like to search on this value but count on the store id which is several lines above. Is there a way to do this?

I have pasted an extract of a logfile below. 

21/06/2011 12:12:12.685 Add store 7936424 to cache
.... (multiple lines, say 6 for example)
21/06/2011 12:12:13.083 Set response to V, V033 - Duplicate transaction

I'm a little new to Splunk so still feeling my way around. Thank you in advance.

Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎06-21-2011 06:48 AM

One way to accomplish this is with the transaction command. Transaction pulls together related events into a larger event at search time. Transaction normally works best when you have a transaction id / session id / pid / thread name -- something common among the events to stitch them together.

http://www.splunk.com/base/Documentation/latest/SearchReference/Transaction

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎06-21-2011 06:48 AM

One way to accomplish this is with the transaction command. Transaction pulls together related events into a larger event at search time. Transaction normally works best when you have a transaction id / session id / pid / thread name -- something common among the events to stitch them together.

http://www.splunk.com/base/Documentation/latest/SearchReference/Transaction

0 Karma
Reply
Solved! Jump to solution

fwd4
Explorer
‎06-21-2011 06:57 AM

Thank you, very interesting I'll give that a read. We have a process ID in the same logs which I could use to tie the transaction together (I removed it from my example above for simplicity).

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...