Splunk Search

How can I group log entries together when fields are not clearly delineated?

swerner
Explorer

I am evaluating Splunk for use in monitoring application logs and am wondering if it is possible to group together lines like the following relating the numbers in bold to each other and text in bold to each other.

[29/Apr/2010:00:01:18][8456.-243491648][-conn2-] Notice: db_scoped_select_query: 3 976122186 0 0 53.14 select items-list-main-count_advanced 0.081 0.002 version_list_criteria 1

[29/Apr/2010:00:01:18][8456.-243491648][-conn2-] Notice: Time-log, 2, 976122186, 0, 0, 53.14, /items/list-main, role_employee_rw_no_version_buyer, employee, 0.05, 0.25, 0.07, 0.23, 0.61, 19789, 66, items-list-main-count_advanced, select, 0.08, 623094, 433285

Tags (2)
1 Solution

bwooden
Splunk Employee
Splunk Employee

If they are in the same log file - are they both comma separated or does only the 2nd event have its fields separated by commas? I ask because if all values in the log file are separated by commas it may be even easier to do your field extractions. I strongly encourage field extractions first so you'll be setup for future successes.

If you're only trying to show the grouping is possible, even before you learn about the field extractions, you could do this

976122186 items-list-main-count_advanced | eval glue="fragileSolution" | transaction glue

...with the understanding that it is a fragile solution.

View solution in original post

0 Karma

bwooden
Splunk Employee
Splunk Employee

If they are in the same log file - are they both comma separated or does only the 2nd event have its fields separated by commas? I ask because if all values in the log file are separated by commas it may be even easier to do your field extractions. I strongly encourage field extractions first so you'll be setup for future successes.

If you're only trying to show the grouping is possible, even before you learn about the field extractions, you could do this

976122186 items-list-main-count_advanced | eval glue="fragileSolution" | transaction glue

...with the understanding that it is a fragile solution.

0 Karma

swerner
Explorer

I will plan to pursue field extractions. Thanks for your help

0 Karma

sideview
SplunkTrust
SplunkTrust

Is there any reason why you're not extracting the bold values as fields?

If you havent already, read through this section about fields and subsequent sections about search-time field extractions. http://www.splunk.com/base/Documentation/latest/Knowledge/Aboutfields

Once those values are correctly extracted, everything becomes a lot easier. For instance if the 976122186 value is extracted as a field called session_id this boils down to just:

<your search> | transaction your_extracted_id_field

swerner
Explorer

I am planning to pursue field extractions. Thanks for the link.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...