Splunk Search

Help joining multi row search

kimberlytrayson
Path Finder

Hi everyone,
I am new to Splunk and still learning.

Can someone please help me on the below query?

My log file:

2020-03-30 12:21:45,075 INFO com.www.yyy.MyClass[ - ] - screen changing to [Select]
2020-03-30 12:25:31,574 DEBUG com.www.yyy.Manager[ - ] - Service- checking
2020-03-30 12:25:31,574 DEBUG com.www.yyy.Manager[ - ] - Service- found
2020-03-30 12:25:31,663 DEBUG com.www.yyy.Manager[ - ] - All Service took 89 milliseconds

my requirement:

I want to get the screen name and service took time.
in the above example I need like this: "Select" screen services took 89 milliseconds

Please help me to get the query. I would really appreciate it! Thank you!

Tags (3)
0 Karma

to4kawa
Ultra Champion
| makeresults
| eval _raw="test
2020-03-30 12:21:45,075 INFO com.www.yyy.MyClass[ - ] - screen changing to [Select]
2020-03-30 12:25:31,574 DEBUG com.www.yyy.Manager[ - ] - Service- checking
2020-03-30 12:25:31,574 DEBUG com.www.yyy.Manager[ - ] - Service- found
2020-03-30 12:25:31,663 DEBUG com.www.yyy.Manager[ - ] - All Service took 89 milliseconds
2020-03-30 13:21:45,075 INFO com.www.yyy.MyClass[ - ] - screen changing to [Select]
2020-03-30 13:25:31,574 DEBUG com.www.yyy.Manager[ - ] - Service- checking
2020-03-30 13:25:31,574 DEBUG com.www.yyy.Manager[ - ] - Service- found
2020-03-30 13:25:31,663 DEBUG com.www.yyy.Manager[ - ] - All Service took 89 milliseconds"
| multikv forceheader=1
| fields _raw
| streamstats current=f count(eval(searchmatch("took"))) as session
| stats values(_raw) as _raw by session
| nomv _raw
| rex "(?ms)^.*\[(?<screen>\w+)\].*took (?<duration>\d+ \w+)"
| eval result="\"".screen."\" services took ".duration

I make session from screen changing to took
how about this?

0 Karma

manjunathmeti
Champion

All these logs should contain a common values to join them together. Assuming [ - ] is the common value in all these logs you can try this:

| rex "\[(?<common_value>[\w\W]+)\]\s\-\sscreen\schanging\sto\s\[(?<service>\w+)\]" 
| rex "\[(?<common_value>[\w\W]+)\]\s-\sAll\sService\stook\s(?<duration>\d+\smilliseconds)" 
| stats latest(service) as service, latest(duration) as duration by common_value 
| eval output="\"".service."\" screen services took".duration." milliseconds"

Sample query:

| makeresults 
| eval _raw="_raw
2020-03-30 12:21:45,075 INFO com.www.yyy.MyClass[ - ] - screen changing to [Select]
2020-03-30 12:25:31,574 DEBUG com.www.yyy.Manager[ - ] - Service- checking
2020-03-30 12:25:31,574 DEBUG com.www.yyy.Manager[ - ] - Service- found
2020-03-30 12:25:31,663 DEBUG com.www.yyy.Manager[ - ] - All Service took 89 milliseconds" 
| multikv forceheader=1 
| fields _raw 
| rex "\[(?<common_value>[\w\W]+)\]\s\-\sscreen\schanging\sto\s\[(?<service>\w+)\]" 
| rex "\[(?<common_value>[\w\W]+)\]\s-\sAll\sService\stook\s(?<duration>\d+\smilliseconds)" 
| stats latest(service) as service, latest(duration) as duration by common_value 
| eval output="\"".service."\" screen services took".duration." milliseconds"

to4kawa
Ultra Champion

your multikv is cool.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...