Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I search for all events in the same "request" as a particular log line

illuminatedaxis
Engager
‎06-19-2024 10:42 PM

My application is a backend web service. All events in a request contain the same value for a "req_id" field.

I have a use-case, where I want to look at all the events that occurred for requests, only when a particular log line is present.

My first query would be this -

 

index="myapp" AND "some log line" | rex field=_raw "req_id=(?<req_id>[a-zA-Z0-9]*)"

 

And then my second query would be -

 

index="myapp" AND "$req_id" | transaction req_id

 

where the $req_id would be fed in by the first query.

How do I join these two queries? 

Thanks in advance!

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

P_vandereerden
Splunk Employee
Splunk Employee
‎06-19-2024 11:37 PM

Use the first search as a subsearch:

 

 

index=myapp [ search index=myapp "some log line" | rex field=_raw "req_id=(?<req_id>[a-zA-Z0-9]*)" | table req_id ] | transaction req_id

 

 

 

 

Paul van der Eerden,
Breaking software for over 20 years.

View solution in original post

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎06-19-2024 11:51 PM

P_vandereerden's reply is a good starting point, but there are two things to consider

1. The use of a subsearch to constrain an outer search may not perform well if there are a large number of requests ids with that log line. If you are expecting a large number of hits for "log_line" then you may need to consider a different approach.

2. The use of transaction has limitations and although it has use cases, it's options should be understood in relation to your data set, particularly when your data set is large.

Very often the stats command can be used to achieve the same thing as transaction without the limitations, so it very much depends on what you want to do with the resultant grouped data. For example this is generally a simple replacement for transaction

| stats values(_raw) as _raw range(_time) as duration count by requestId

which will give you the raw events, the duration from first to last and the number of events for any given request id.

 

Reply
Solved! Jump to solution
Solution

P_vandereerden
Splunk Employee
Splunk Employee
‎06-19-2024 11:37 PM

Use the first search as a subsearch:

 

 

index=myapp [ search index=myapp "some log line" | rex field=_raw "req_id=(?<req_id>[a-zA-Z0-9]*)" | table req_id ] | transaction req_id

 

 

 

 

Paul van der Eerden,
Breaking software for over 20 years.
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...