Splunk Search

How to filter events from a transaction result.

Communicator

After the transaction command, I got a set of events as one event. Now I want to filter the logs from this transaction result.

Let's say my transaction result has 10 lines as Line 1 to Line 10.
Now I want only lines from line 3 to line 8.
How can I do this??
Please help... Asap..

0 Karma

Esteemed Legend

First, get rid of transaction by manufacturing a sessoinID like this:

search... | reverse | streamstats current=t count(eval(searchmatch("start"))) AS sessionID | stats list(_raw) by sessionID

Now that you have a sessionID field for every event, you have more control and can do something like this:

search... | reverse | streamstats current=t count(eval(searchmatch("Start"))) AS sessionID | streamstats current=t count(eval(searchmatch("DEBUG - PQR" OR "DEBUG - XYZ"))) AS subsessionID by sessionID | search subsessionID="1" NOT Start | stats list(_raw) by sessionID
0 Karma

Path Finder

Maybe use mvindex?

| eval NewField=mvindex(_raw, 3, 8)
0 Karma

Path Finder

Seems like the _raw field isn't a multi value field after a transaction. It does however work for other fields. Maybe extract the useful info from the logs before transactioning?

0 Karma

Path Finder

You could use regular expression to extract the relevant info from the _raw field. That might, however, be a tedious job if there are a lot of exceptions; you might have to write several ones. This should work for your example:

| rex "PQR\s(?<RelevantLogStuff>.+)\s2015.+XYZ"
0 Karma

Communicator

the filtering is not based on line numbers. its based on some keywords, lets say "ReStart" to "Close", need the logs which are in between these keywords..and the line numbers are not fixed too..

0 Karma

Revered Legend

The filter (from row 3 to row 😎 is fixed OR it's depend on the some value in the actual data?

0 Karma

Communicator

Its not fixed.. it depends on the keyword i use.. and depends on the requirement...

0 Karma

Revered Legend

See if something like this would work for you.

search... | eval RawLines=_raw|transaction startswith:"start" endswith:"end" | eval RawLines=mvfilter(NOT match(RawLines,"Start") AND NOT match(RawLines,"End"))

The field _raw though seems like an multivalued field in events tab, but its actually not, So I created another field which will hold the raw data lines and filter is applied on that field.

0 Karma

Builder

An example please?

0 Karma

Communicator

Query:
search...|transaction startswith:"start" endswith:"end"

And i got the event as below,

2015/10/17 06:32:43,872 EDT - DEBUG - Start
2015/10/17 06:32:43,872 EDT - DEBUG - PQR
2015/10/17 06:32:43,872 EDT - DEBUG - ABC
2015/10/17 06:32:43,872 EDT - DEBUG - ABC
2015/10/17 06:32:43,872 EDT - DEBUG - ABC
2015/10/17 06:32:43,872 EDT - DEBUG - ABC
2015/10/17 06:32:43,872 EDT - DEBUG - XYZ
2015/10/17 06:32:43,872 EDT - DEBUG - End

now i need the only logs from DEBUG - PQR to DEBUG - XYZ

Please help...

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!