Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to get subset of lines from log
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to get subset of lines from log
Hi,
We have requirement where we have to get the start till end log of one process and when we get the log we can see the logs of other process as well which is running in parallel. So we want to get the lines of only the process which we have to work on. The process number changes at every run.
Sample Log:
2022-02-14 02:30:00,046 [Worker-3] DEBUG User job started
2022-02-14 02:30:00,063 [Worker-3] DEBUG Calling importData
2022-02-14 02:30:00,063 [Worker-3] DEBUG Initializing External DB connection
2022-02-14 02:30:00,065 [Worker-2] DEBUG another process started
2022-02-14 02:30:00,067 [Worker-3] DEBUG url before binding
2022-02-14 02:30:00,082 [Worker-2] DEBUG ExistingAccount
2022-02-14 02:30:00,083 [Worker-2] DEBUG query is array
2022-02-14 02:30:00,097 [Worker-2] DEBUG Done.... assigning access for account
2022-02-14 02:30:00,524 [Worker-2] DEBUG closing connection
2022-02-14 02:30:00,547 [Worker-2] Task Complete
2022-02-14 02:30:00,560 [Worker-3] DEBUG inside finally...
2022-02-14 02:30:00,567 [Worker-3] DEBUG sending Notification Email
2022-02-14 02:30:00,567 [Worker-3] DEBUG User job ended
we have used below search to get above log :
index=test sourcetype=debugLog | transaction startswith="User job started" endswith="User job ended"
we want the output as below. So how we can add extra logic to above search to get below output?
2022-02-14 02:30:00,046 [Worker-3] DEBUG User job started
2022-02-14 02:30:00,063 [Worker-3] DEBUG Calling importData
2022-02-14 02:30:00,063 [Worker-3] DEBUG Initializing External DB connection
2022-02-14 02:30:00,067 [Worker-3] DEBUG url before binding
2022-02-14 02:30:00,560 [Worker-3] DEBUG inside finally...
2022-02-14 02:30:00,567 [Worker-3] DEBUG sending Notification Email
2022-02-14 02:30:00,567 [Worker-3] DEBUG User job ended
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes your understanding is correct. but the process number will be different everytime. Any sample command will be very helpful.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ideally, parsing and field extraction should have been done as part of data onboarding so you should have the field "ready to use". But let's assume it hadn't been done.
So you have to parse the field from the event on your own. Assuming that the process name is always "worker-X", you can use
index=test sourcetype=debugLog
| rex "\[worker-(?<workerID>\d+)\]"
transaction workerID startswith="User job started" endswith="User job ended"
You can, alternatively, parse out anything that's between the brackets and use that value. Like
index=test sourcetype=debugLog
| rex "\[(?<ProcessID+)\]"
transaction ProcessID startswith="User job started" endswith="User job ended"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried both the command but didn't worked.
index=test sourcetype=debugLog
| rex "\[worker-(?<workerID>\d+)\]"
transaction workerID startswith="User job started" endswith="User job ended"
in this I have to add | before transaction else it was failing. When I added | and ran the command it's giving 0 event. Can you explain what this command will do?
Other command is failing with REX error.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK. I missed the pipe sign before the second line.
index=test sourcetype=debugLog
| rex "\[Worker-(?<workerID>\d+)\]"
| transaction workerID startswith="User job started" endswith="User job ended"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I understand correctly, in your example you would want to have only the lines from Worker-3 without the lines from Worker-2, right?
You need to extract this field and use it in your transaction command to distinguish separate worker runs.
Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...
Splunk Observability for AI
🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler
