Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need help with Splunk Query

nilbak1
Communicator
‎08-21-2020 09:21 AM

Hello Splunkers,

I need help with below scenario:

I need to form query from xml log in below format.

TransactionID            LineNumber            Fulfiller
123                                        1                             abc
124                                         1                            xyz
125                                         1                            def
                                                  2                           xyz
126                                          1                           abc
                                                   2                           def
                                                   3                            xyz

So, here in my xml logs sometime i am having only one LineNumber mentioned and correspondingly fulfiller.
However, in some log events i am having multiple LineNumbers with corresponding fulfillers for same transactionid.

I have used regex to extract transactionid, LineNumber and fullfiller name.

I want result in above format.
Hope I am able to explain my scenario.

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎08-22-2020 05:36 AM

Try below,

my Query | stats list(LineNumber) as LineNumber list(Fullfiller) by TransactionID


values function displays only distinct values.

where as list displays linenumber and its fulfiller by transactionID

 

————————————
If this helps, give a like below.

View solution in original post

Reply
Solved! Jump to solution

nilbak1
Communicator
‎08-21-2020 09:35 AM

After using max_match in regex and running below query

my Query | stats values(LineNumber) as LineNumber values(Fullfiller) by TransactionID

I am getting as below result 

10000056090658 1 abc
10000063819764 1 xyz
                                        2
10000063819784 1 abc
                                        2 def

10000063820877 1 abc
                                        2
Not getting fulfillers with some of the line numbers.

0 Karma
Reply
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎08-22-2020 05:36 AM

Try below,

my Query | stats list(LineNumber) as LineNumber list(Fullfiller) by TransactionID


values function displays only distinct values.

where as list displays linenumber and its fulfiller by transactionID

 

————————————
If this helps, give a like below.
Reply
Solved! Jump to solution

nilbak1
Communicator
‎08-22-2020 11:06 PM

Thanks @thambisetty 

Yes, I used list function and it worked, got the results as required.

Anyways thanks for your reply.

Tags (1)
0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-22-2020 11:30 PM
Happy I solved your problem. Please like answer.
————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

Nisha18789
Builder
‎08-21-2020 02:50 PM

hi @nilbak1 , can you share the regex you are using ? Or the log?

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month - SLO Capabilities, APM Advanced Filtering & Usage Analytics Plus ...

More for SLO Management We’re continuing to expand the built-in SLO management experience in Splunk ...

Enterprise Security Content Update (ESCU) | New Releases

In June, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...

Index This | What gets bigger the more you remove?

June 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...