Solved: How to combine two consecutive events into one bas...

DavidHourani · ‎12-04-2015

Hello,

I would like to combine 2 events into one based on the content of the first one.

So every time I find an event containing the word "Banana" I wanna combine it with the line that follows regardless of what the following line is.

Could you please help out?

Thank you.
David

sundareshr · ‎12-04-2015

You could try the transaction command. Something like this could work.

index=* | transaction startswith="banana" maxevents=2

Having said this, keep in mind the sort order in splunk may not be the same as what you are thinking. So what you think as the "next" event may not be what splunk considers to be the "next" event.

View solution in original post

woodcock · ‎12-05-2015

You should try to avoid using transaction whenever you can. Try this instead (faster and more robust):

... "banana" OR "the keyword in the next event" | reverse | streamstats count(eval(searchmatch("banana"))) AS SessionID | reverse | stats list(_raw) AS events by SessionID

DavidHourani · ‎12-07-2015

I'm getting 0 results with that search. I agree with you that transactions are slow and yes I think a better method would be to try to avoid it. How exactly does the Reverse command works ?

woodcock · ‎12-08-2015

We need reverse so that as we work backwards through the list from top-to-bottom, we process the oldest events first, meaning that whenever we see a banana event, it marks the beginning of a new "session".

I made a mistake in that I used stats instead of streamstats. I have correct this in my original answer; try again.

DavidHourani · ‎12-09-2015

its still not working for some reason... apparently SessionID is always empty...

woodcock · ‎12-09-2015

ARGH! I blew it again! I used count(searchmatch("banana")) instead of count(eval(searchmatch("banana"))). I have updated my answer again. If you care to retry, I am sure it will work this time!

sundareshr · ‎12-09-2015

Try this

... "banana" OR "the keyword in the next event" | reverse | eval x=if(searchmatch("banana"), 1, 0) | streamstats sum(x) AS SessionID | reverse | stats list(_raw) AS events by SessionID

sundareshr · ‎12-04-2015

You could try the transaction command. Something like this could work.

index=* | transaction startswith="banana" maxevents=2

Having said this, keep in mind the sort order in splunk may not be the same as what you are thinking. So what you think as the "next" event may not be what splunk considers to be the "next" event.

DavidHourani · ‎12-04-2015

I think that should work. I did it with |transaction _time startswith="banana" endwith="the keyword in the next even" since the "Next" event was in chronological order worked fine for me ^^

stephanefotso · ‎12-04-2015

Hello. You can do it through configuration files (props.conf and transforms.conf). Read this:
http://docs.splunk.com/Documentation/Splunk/6.3.1511/Data/Configureeventlinebreaking

Thanks

SGF

jplumsdaine22 · ‎12-04-2015

Can you put some sample data here? The closer to your original data the better

How to combine two consecutive events into one based on the content of the first event?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms