Splunk Search

Getting useful information from a multiline event

New Member

In one of our log files, we see two lines that follow eachother when a user logs in. The first line has the user's IP. The second has their username. I want to be able to have a table which shows something like the username, ip, and the number of login attempts.

This is one example:

Dec 23 10:12:23.98411 nyggmeorcappp1 cds71[26462:t@2247      ]/info:  [orcserver] - User connected from [10.158.45.178:3904]
Dec 23 10:12:23.98767 nyggmeorcappp1 cds71[26462:t@2247      ]/info:  [orcserver:kallispy-asynch] - Connect done OK [kallispy-asynch].

I would have no problem creating the search if all this data was on one line, but since it is split I am having difficulties.

What's the best way to accomplish this? I first tried to create this into a multiline event like this in the application props.conf:

MUST_NOT_BREAK_AFTER = User connected from

But this didn't seem to work, next user that logged in still had individual events for each line. Any ideas?

Tags (2)
0 Karma
1 Solution

Motivator

The most common approach is to use the transaction command.

Something like:

orcserver ("user connected" OR "connect")
| transaction host, pid maxspan=1s maxevents=2 startswith=("user connected")
| stats count as "ConnectionCount" by user, src_ip
| table user, src_ip, ConnectionCount

(The example transaction assumes that "26462" in your sample log is being extracted into a field called pid.)

View solution in original post

Motivator

The most common approach is to use the transaction command.

Something like:

orcserver ("user connected" OR "connect")
| transaction host, pid maxspan=1s maxevents=2 startswith=("user connected")
| stats count as "ConnectionCount" by user, src_ip
| table user, src_ip, ConnectionCount

(The example transaction assumes that "26462" in your sample log is being extracted into a field called pid.)

View solution in original post