summarize events to new event

flanghof · ‎08-28-2012

Hello out there!

I dont know if i am doing something wrong. So maybe somebody could help me with this question.

I index a few events. I can do some searches on them, but the events "expire" (kind of). So when the last part of the event is appearing, sth like "event_id=2846 status=finished" i 'd like to summarize all the events matching the event_id=2846 and create a new event. i d'like to do this for statistics so i need just some of the original values. furthermore these events should be saved in a different index, so they should be keeped longer.

Is there any possibility to do this? Is there a Splunk-way, which satisfies my problem much better?

Thanks a lot!

Ayn · ‎08-28-2012

A combination of transaction (http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction ) and summary indexing (http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usesummaryindexing ) might perhaps be what you're looking for?

summarize events to new event

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation

summarize events to new event

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions