Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I merge events on the basis of time and fields?

pratibha2018
Explorer
‎03-16-2018 12:06 AM

I want to merge events that are in between state=" STARTED" and state="COMPLETED" i.e. All the following events of state="STARTED" and preceding to state="COMPLETED" will merge into a single event.

0 Karma
Reply

tiagofbmm
Influencer
‎03-16-2018 12:16 AM

Hey

Do you have any field that may connect those events? Like an ID?

Then you could use transaction command with these parameters

endswith
Syntax: endswith=<filter-string>
Description: A search or eval expression which, if satisfied by an event, marks the end of a transaction.

startswith
Syntax: startswith=<filter-string>
Description: A search or eval filtering expression which if satisfied by an event marks the beginning of a new transaction.

https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Transaction

0 Karma
Reply

pratibha2018
Explorer
‎03-16-2018 12:23 AM

No Nothing to match.

0 Karma
Reply

tiagofbmm
Influencer
‎03-16-2018 12:58 AM

Well and to you have events starting in between the others?

I mean:

event A started at X and ended at Y
event B starter at X+5 and ended at Y+3

Do you also have those scenarios?

0 Karma
Reply

pratibha2018
Explorer
‎03-16-2018 02:53 AM

There is the start time for each event, not the end time. And also not necessary that the event B start at X+5 .

So, In my case eventA gives me the log that Request1 started for user1
eventB gives me that Request2 has completed in time(* sec) for user2
And If there is any Error then another EventC is created in between A and B with Error log.
Now, I just want table "Error log" User.

Is this possible??

0 Karma
Reply

tiagofbmm
Influencer
‎03-16-2018 03:09 AM

I don't see that possible if you don't have an element to trace the events back.

Can you show us a piece of your log with the events you mentioned?

0 Karma
Reply

pratibha2018
Explorer
‎03-18-2018 11:43 PM

Here's the code :

2018-02-09 18:10:25,542 INFO [qtp1687849576-8861]: "class name1" - [#0000e4ca] "Request1" from "ip_address1" ("email_id1") STARTED
2018-03-09 18:10:26,610 ERROR [qtp1687849576-12683]: "class name2" - Cannot retrieve. No UserLoginHistory information is stored.
2018-02-09 18:10:28,760 INFO [qtp1687849576-8861]: "class name1" - [#0000e4ca] "Request1" from "ip_address1"("email_id1") COMPLETED in 0.217s

0 Karma
Reply

p_gurav
Champion
‎03-18-2018 11:53 PM

Did you extract this "qtp1687849576" into field say abc and then
Can you try :

| transaction abc startswith="STARTED" endswith="COMPLETED"

0 Karma
Reply

pratibha2018
Explorer
‎03-19-2018 05:09 AM

Thanks @p_gurav
But can't rely on this "qtp..." thing.

0 Karma
Reply

p_gurav
Champion
‎03-19-2018 05:40 AM

Is there any other common field present in logs?

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...