Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to join multiple log streams together
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to join multiple log streams together
robgreen
Path Finder
12-11-2011
03:27 PM
We have our logs always generate a sessionid but each host has a separate sessionid with a link to the original as parentsessionid. I am trying to get a splunk query for when a session id is entered it will return back all the logs for all the hosts following the child parent relationship.
something like this
hostA: sessionid=aaa parentsessionid=null name=value name2=value2
hostB: sessionid=bbb parentsessionid=aaa name=valuexx name2=value2
hostC: sessionid=ccc parentsessionid=bbb name=valueyy name3=value3
if someone enters aaa i would like all three sessions to be returned in the query in order (as the session is running on all 3 at roughly the same time and in general one event on one host causes another event on a different host)
rob
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Takajian
Builder
12-11-2011
03:38 PM
Transaction command may be help for your case. This command can group events into transactions. Please try following command and confirm if this work or not.
sourcetype=
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Takajian
Builder
12-11-2011
04:09 PM
Following command will work? I still think transaction command will help.
sourcetype=
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
robgreen
Path Finder
12-11-2011
04:03 PM
even though the user only specified to search for "aaa" i want to include all events that are descended from it. ie ccc has no reference to aaa directly but bbb references both aaa and ccc. i am fine if it can only be its direct ancestor.. originally i thought i could do something like
search sessionid=aaa | join sessionid [search parentsessionid=
but i dont see a way to reference a field from a previous search in the pipeline..
rob
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Takajian
Builder
12-11-2011
03:51 PM
If you expect 60 events in your case, transaction command will not help although I thought it may help. Transaction command group events into transaction. What do you mean "how to join multiple log streams together"? I thought you want to group multiple events into a transaction.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
robgreen
Path Finder
12-11-2011
03:43 PM
when i do
search sessionid=aaa i get 30 events, when i do
search sessionid=bbb i get 20 events, when i do
search sessionid=ccc i get 10 events. all good so far.
when i do the above i get 1 event when i am expecting 60 events.
Get Updates on the Splunk Community!
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Index This | What goes away as soon as you talk about it?
May 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this month’s ...
