Splunk Search

How to search the count of two strings in two separate lines in our sample log files?

runiyal
Path Finder

I need to search two strings within the set of rows of the log file. I have a process running for the new webscript - Catalina-exec-7 and need to see the count of all such events where we have "source=vendor" from the querystring (row 4 in the sample log below) and "Bill Uploaded successfully" from the second to last line.

2016-10-20 17:51:47,207 INFO  [com.comp.app.webscripts.CompAbstractBaseWebscript.execute(CompAbstractBaseWebscript.java:66)] [catalina-exec-7] ****** NEW WEBSCRIPT REQUEST ******
Server Path: http://app.comp.com:80
Service Path: /app/service/ccomp/bill/policy/BillUpload
Query String: isHidden=false&sensitive=unrestricted&Amount=200&**source=vendor**&name=20161020_123.TIF&mimeType=image
2016-10-20 17:51:47,207 INFO  [com.comp.bill.webscripts.BillUploadWebscript.executeWS(BillUploadWebscript.java:38)] [catalina-exec-7] ***** New Bill Upload request Started *****
2016-10-20 17:51:47,209 DEBUG [comp.common.util.CitizensUploadUtilImpl.getUploadProps(CitizensUploadUtilImpl.java:245)] [catalina-exec-7] Adding content properties to object map.
2016-10-20 17:51:47,209 INFO  [com.comp.bill.BillServiceImpl.processBillUploadRequest(BillServiceImpl.java:136)] [catalina-exec-7] Begin - processBillingUploadRequest method
2016-10-20 17:51:47,210 INFO  [com.comp.bill.BillServiceImpl.fetchParentNodeRef(BillServiceImpl.java:177)] [catalina-exec-7] ## fetchParentNodeRef method 
2016-10-20 17:51:47,222 DEBUG [comp.common.util.CompFolderUtilImpl.buildContentPath(CompFolderUtilImpl.java:121)] [catalina-exec-7] Path toString: [Comp, Bill, 00, 54, 89, 66, 02]
2016-10-20 17:51:47,222 TRACE [comp.common.util.CompFolderUtilImpl.buildContentPath(CompFolderUtilImpl.java:136)] [catalina-exec-7] Currently processing: Comp
2016-10-20 17:51:47,225 TRACE [comp.common.util.CompFolderUtilImpl.buildContentPath(CompFolderUtilImpl.java:136)] [catalina-exec-7] Currently processing: Bill
2016-10-20 17:51:47,229 TRACE [comp.common.util.CompFolderUtilImpl.buildContentPath(CompFolderUtilImpl.java:136)] [catalina-exec-7] Currently processing: 00
2016-10-20 17:51:47,231 TRACE [comp.common.util.CompFolderUtilImpl.buildContentPath(CompFolderUtilImpl.java:136)] [catalina-exec-7] Currently processing: 54
2016-10-20 17:51:47,232 TRACE [comp.common.util.CompFolderUtilImpl.buildContentPath(CompFolderUtilImpl.java:136)] [catalina-exec-7] Currently processing: 89
2016-10-20 17:51:47,264 TRACE [comp.common.util.CompFolderUtilImpl.buildContentPath(CompFolderUtilImpl.java:136)] [catalina-exec-7] Currently processing: 66
2016-10-20 17:51:47,289 TRACE [comp.common.util.CompFolderUtilImpl.buildContentPath(CompFolderUtilImpl.java:136)] [catalina-exec-7] Currently processing: 02
016-05-18 17:51:47,426 DEBUG [comp.common.util.CompUploadUtilImpl.doCheckAspectProcess(CompUploadUtilImpl.java:283)] [catalina-exec-7] Checking for check parameters
2016-10-20 17:51:47,427 DEBUG [com.comp.bill.webscripts.BillUploadWebscript.executeWS(BillUploadWebscript.java:59)] [catalina-exec-7] **Bill Uploaded successfully**
2016-10-20 17:51:47,427 INFO  [com.comp.bill.webscripts.BillUploadWebscript.executeWS(BillUploadWebscript.java:79)] [catalina-exec-7] ************ Bill Upload end ************

Ultimately, we need a count of all the "Bill Uploaded successfully" where the "source=vendor"

Thanks!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

index=foo sourcetype=bar ("NEW WEBSCRIPT REQUEST" AND "source=vendor") OR "Bill Uploaded successfully"
| eval counter=if(searchmatch("NEW WEBSCRIPT REQUEST"),1,0) | eval isVendor=if(searchmatch("source=vendor"),1,0)| accum counter
| stats sum(isVender) as vendorBill by counter | where vendorBill=1 | stats count

OR

index=foo sourcetype=bar ("NEW WEBSCRIPT REQUEST") OR "Bill Uploaded successfully"
| transaction startswith="NEW WEBSCRIPT REQUEST" endswith="Bill Uploaded successfully"
| where searchmatch("source=vendor") | stats count
0 Karma

Raghav2384
Motivator

Hello @runiyal

Method #1:You can extract the source values to a extracted field and then apply the condition after extraction.

Example: Sourcename is the field you extract and you can simply ask splunk to |search Sourcename=vendor which will limit it to the events that contain that field

Method # 2: use a combination of eval , match function and the condition you want.

Method#3: use stats and eval combination with a AND condition (If both conditions you are looking for are key pairs)

Hope this helps,
Thanks,
Raghav

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...