Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Find set of 'problem' events, then map to all events from the 'problem' requests based on requestID

nfdavenport
Observer
‎09-29-2020 05:17 PM

I have a web application where each incoming request is given a unique requestID so we can see all the logs for that particular 'request'.  This isn't currently a field, but I could/probably should make it one.

I am looking for particular events where we log a problem.  I want to pull the requestID for all of these events and show the entire 'request' for all of them.  So far looking around it seems the 'map' command is the way to do this.  What I haven't seen or figured out is how to do this for multiple requestIDs at once exactly.

index=foo  REQUEST_TIME>2000 | rex field=_raw "^\[\((?<REQID>[^\)]*)" | map search="index=foo $REQID$"

That's the best I've come up with.  The regex works because if I pass it to something else like stats count I can see the value with a count of 1.

index=foo REQUEST_TIME>2000 | rex field=_raw "^\[\((?<REQID>[^\)]*)" | stats count by REQID

So I am close I think.  I'd like to make it work before I change the log output to make reqid a field.

 

Labels (2)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎09-29-2020 06:55 PM

The map command is useful, but it will run, I believe, sequential searches for each event given to it, with a default of 10.

I assume that the request Id will be generating more than one event in Splunk, so you're looking to pull together all the events for that id, where one or more of those events took more than 2000ms.

The transaction command is one alternative, but I would generally advise against that, for a number of resource related reasons.

An alternative is to do the outer search and then join a subsearch on the ids, but again you may come up with resource issues as the join has limitations. By putting the >2000ms search as the subsearch you can minimise the join size.

The other option is to use

index=foo
| rex field=_raw "^\[\((?<REQID>[^\)]*)" |
| stats values(_raw) as events max(REQUEST_TIME) as mrt by REQID 
| where mrt>2000
| mvexpand events
....

then you will have all events for the problematic request ids. A lot will depend on data volume, performance and what data you then need from those events, but you can explore this.

 

0 Karma
Reply

nfdavenport
Observer
‎09-29-2020 09:33 PM

Thank you, I will give it a try.  These will be run manually on an ad-hoc basis so hopefully the performance won't be too  big of an issue.

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...