Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to match two lines by a common ID within the same file and extract a field from the second line?

achetreanu
New Member
‎06-15-2015 03:29 AM

How can I match 2 lines of the same file that have a random number of other lines between them?

1111 Start Sub Transaction. New Id 1115
other lines here 
1115 Transaction End. No Funds Available

I need to match them on ID = 1115 and extract the result (in this case "No Funds Available").
Thank you.

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎06-15-2015 06:08 AM

Like this:

... | rex "^(?<firstWord>\w+).*(?<lastWord>\w+)$" | eval ID=if(isnumber(lastWord), lastWord, firstWord) | stats list(_raw) by ID
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...