Splunk Search
Highlighted

How to search the count of two strings in two separate lines in our sample log files?

Explorer

I need to search two strings within the set of rows of the log file. I have a process running for the new webscript - Catalina-exec-7 and need to see the count of all such events where we have "source=vendor" from the querystring (row 4 in the sample log below) and "Bill Uploaded successfully" from the second to last line.

2016-10-20 17:51:47,207 INFO  [com.comp.app.webscripts.CompAbstractBaseWebscript.execute(CompAbstractBaseWebscript.java:66)] [catalina-exec-7] ****** NEW WEBSCRIPT REQUEST ******
Server Path: http://app.comp.com:80
Service Path: /app/service/ccomp/bill/policy/BillUpload
Query String: isHidden=false&sensitive=unrestricted&Amount=200&**source=vendor**&name=20161020_123.TIF&mimeType=image
2016-10-20 17:51:47,207 INFO  [com.comp.bill.webscripts.BillUploadWebscript.executeWS(BillUploadWebscript.java:38)] [catalina-exec-7] ***** New Bill Upload request Started *****
2016-10-20 17:51:47,209 DEBUG [comp.common.util.CitizensUploadUtilImpl.getUploadProps(CitizensUploadUtilImpl.java:245)] [catalina-exec-7] Adding content properties to object map.
2016-10-20 17:51:47,209 INFO  [com.comp.bill.BillServiceImpl.processBillUploadRequest(BillServiceImpl.java:136)] [catalina-exec-7] Begin - processBillingUploadRequest method
2016-10-20 17:51:47,210 INFO  [com.comp.bill.BillServiceImpl.fetchParentNodeRef(BillServiceImpl.java:177)] [catalina-exec-7] ## fetchParentNodeRef method 
2016-10-20 17:51:47,222 DEBUG [comp.common.util.CompFolderUtilImpl.buildContentPath(CompFolderUtilImpl.java:121)] [catalina-exec-7] Path toString: [Comp, Bill, 00, 54, 89, 66, 02]
2016-10-20 17:51:47,222 TRACE [comp.common.util.CompFolderUtilImpl.buildContentPath(CompFolderUtilImpl.java:136)] [catalina-exec-7] Currently processing: Comp
2016-10-20 17:51:47,225 TRACE [comp.common.util.CompFolderUtilImpl.buildContentPath(CompFolderUtilImpl.java:136)] [catalina-exec-7] Currently processing: Bill
2016-10-20 17:51:47,229 TRACE [comp.common.util.CompFolderUtilImpl.buildContentPath(CompFolderUtilImpl.java:136)] [catalina-exec-7] Currently processing: 00
2016-10-20 17:51:47,231 TRACE [comp.common.util.CompFolderUtilImpl.buildContentPath(CompFolderUtilImpl.java:136)] [catalina-exec-7] Currently processing: 54
2016-10-20 17:51:47,232 TRACE [comp.common.util.CompFolderUtilImpl.buildContentPath(CompFolderUtilImpl.java:136)] [catalina-exec-7] Currently processing: 89
2016-10-20 17:51:47,264 TRACE [comp.common.util.CompFolderUtilImpl.buildContentPath(CompFolderUtilImpl.java:136)] [catalina-exec-7] Currently processing: 66
2016-10-20 17:51:47,289 TRACE [comp.common.util.CompFolderUtilImpl.buildContentPath(CompFolderUtilImpl.java:136)] [catalina-exec-7] Currently processing: 02
016-05-18 17:51:47,426 DEBUG [comp.common.util.CompUploadUtilImpl.doCheckAspectProcess(CompUploadUtilImpl.java:283)] [catalina-exec-7] Checking for check parameters
2016-10-20 17:51:47,427 DEBUG [com.comp.bill.webscripts.BillUploadWebscript.executeWS(BillUploadWebscript.java:59)] [catalina-exec-7] **Bill Uploaded successfully**
2016-10-20 17:51:47,427 INFO  [com.comp.bill.webscripts.BillUploadWebscript.executeWS(BillUploadWebscript.java:79)] [catalina-exec-7] ************ Bill Upload end ************

Ultimately, we need a count of all the "Bill Uploaded successfully" where the "source=vendor"

Thanks!

0 Karma
Highlighted

Re: How to search the count of two strings in two separate lines in our sample log files?

Motivator

Hello @runiyal

Method #1:You can extract the source values to a extracted field and then apply the condition after extraction.

Example: Sourcename is the field you extract and you can simply ask splunk to |search Sourcename=vendor which will limit it to the events that contain that field

Method # 2: use a combination of eval , match function and the condition you want.

Method#3: use stats and eval combination with a AND condition (If both conditions you are looking for are key pairs)

Hope this helps,
Thanks,
Raghav

Highlighted

Re: How to search the count of two strings in two separate lines in our sample log files?

SplunkTrust
SplunkTrust

Give this a try

index=foo sourcetype=bar ("NEW WEBSCRIPT REQUEST" AND "source=vendor") OR "Bill Uploaded successfully"
| eval counter=if(searchmatch("NEW WEBSCRIPT REQUEST"),1,0) | eval isVendor=if(searchmatch("source=vendor"),1,0)| accum counter
| stats sum(isVender) as vendorBill by counter | where vendorBill=1 | stats count

OR

index=foo sourcetype=bar ("NEW WEBSCRIPT REQUEST") OR "Bill Uploaded successfully"
| transaction startswith="NEW WEBSCRIPT REQUEST" endswith="Bill Uploaded successfully"
| where searchmatch("source=vendor") | stats count
0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.