Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to combine two consecutive events into one based on the content of the first event?

DavidHourani
Super Champion
‎12-04-2015 06:11 AM

Hello,

I would like to combine 2 events into one based on the content of the first one.

So every time I find an event containing the word "Banana" I wanna combine it with the line that follows regardless of what the following line is.

Could you please help out?

Thank you.
David

Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎12-04-2015 07:30 AM

You could try the transaction command. Something like this could work.

index=* | transaction startswith="banana" maxevents=2

Having said this, keep in mind the sort order in splunk may not be the same as what you are thinking. So what you think as the "next" event may not be what splunk considers to be the "next" event.

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-05-2015 11:51 AM

You should try to avoid using transaction whenever you can. Try this instead (faster and more robust):

... "banana" OR "the keyword in the next event" | reverse | streamstats count(eval(searchmatch("banana"))) AS SessionID | reverse | stats list(_raw) AS events by SessionID
Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎12-07-2015 01:24 AM

I'm getting 0 results with that search. I agree with you that transactions are slow and yes I think a better method would be to try to avoid it. How exactly does the Reverse command works ?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-08-2015 08:28 AM

We need reverse so that as we work backwards through the list from top-to-bottom, we process the oldest events first, meaning that whenever we see a banana event, it marks the beginning of a new "session".

I made a mistake in that I used stats instead of streamstats. I have correct this in my original answer; try again.

0 Karma
Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎12-09-2015 04:10 AM

its still not working for some reason... apparently SessionID is always empty...

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-09-2015 12:41 PM

ARGH! I blew it again! I used count(searchmatch("banana")) instead of count(eval(searchmatch("banana"))). I have updated my answer again. If you care to retry, I am sure it will work this time!

Reply
Solved! Jump to solution

sundareshr
Legend
‎12-09-2015 06:27 AM

Try this

... "banana" OR "the keyword in the next event" | reverse | eval x=if(searchmatch("banana"), 1, 0) | streamstats sum(x) AS SessionID | reverse | stats list(_raw) AS events by SessionID
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎12-04-2015 07:30 AM

You could try the transaction command. Something like this could work.

index=* | transaction startswith="banana" maxevents=2

Having said this, keep in mind the sort order in splunk may not be the same as what you are thinking. So what you think as the "next" event may not be what splunk considers to be the "next" event.

Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎12-04-2015 11:05 AM

I think that should work. I did it with |transaction _time startswith="banana" endwith="the keyword in the next even" since the "Next" event was in chronological order worked fine for me ^^

0 Karma
Reply
Solved! Jump to solution

stephanefotso
Motivator
‎12-04-2015 06:20 AM

Hello. You can do it through configuration files (props.conf and transforms.conf). Read this:
http://docs.splunk.com/Documentation/Splunk/6.3.1511/Data/Configureeventlinebreaking

Thanks

SGF
Reply
Solved! Jump to solution

jplumsdaine22
Influencer
‎12-04-2015 06:20 AM

Can you put some sample data here? The closer to your original data the better

Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top