how to make this into a transaction: group events ...

geertn444 · ‎06-06-2018

My events all have a sequence (field), however, some events are "multiline". I want to group them together.
Example:

SYSLOG: SEQ: 1 : TEXT1
SYSLOG: SEQ: 2 : TEXT2
SYSLOG: TEXT A
SYSLOG: TEXT B
SYSLOG: SEQ: 3 : TEXT 3

grouping should be:
transaction 1 = text1
transaction 2 = TEXT 2 + TEXT A + TEXT B
transaction 3 = text 3

the sequence field is already defined, i just need to be able to group events with no sequence number under the last known sequence number

martin_mueller · ‎06-06-2018

If all start-events have that SEQ bit you could consider only linebreaking when you see that SEQ bit - then you don't need to reassemble events at all.

cpetterborg · ‎06-06-2018

I really like this idea, but if the data is syslog, it might not be simple to make it combine, especially if there is a lag time from one line to the next that time out in the event parsing to make it split them anyway.

If the transaction command is done with a startswith="SYSLOG: SEQ:", then it could grab all the events into the same transaction as was described. The field to use in the transaction could be interesting, though. Since the provided example data is not very informative about the real data of the events, it's hard to say what the full transaction command should be.

how to make this into a transaction: group events under previous field until new field is present

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)