Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a search to merge logs with transaction where OR if?

jrodriguezap
Contributor
‎08-28-2014 03:19 PM

Hi there
A query, you can do something like a "transaction where"
For example, all of the following logs, merged with the exception of those with the "dst" field

Aug 27 17:42:40 172.24.20.35 sessionid=53f2b45b0526 sender=jorge@domain.com
Aug 27 17:42:40 172.24.20.35 sessionid=53f2b45b0526 subject="regards"
Aug 27 17:42:40 172.24.20.35 sessionid=53f2b45b0526 size=452132
Aug 27 17:42:40 172.24.20.35 sessionid=53f2b45b0526 dst=luis@example.com
Aug 27 17:42:40 172.24.20.35 sessionid=53f2b45b0526 dst=jhon@example.com
Aug 27 17:42:40 172.24.20.35 sessionid=53f2b45b0526 dst=alex@example.com

Whereas should continue to show the logs have "dst"

PS: Skip APPEND

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

OL
Communicator
‎08-29-2014 07:38 AM

Can you try:

(your search params) | eval dst=if(isnull(dst),"NULL", dst) | transaction sessionid dst

Regards,
Olivier

View solution in original post

Reply
Solved! Jump to solution
Solution

OL
Communicator
‎08-29-2014 07:38 AM

Can you try:

(your search params) | eval dst=if(isnull(dst),"NULL", dst) | transaction sessionid dst

Regards,
Olivier

Reply
Solved! Jump to solution

OL
Communicator
‎08-31-2014 02:46 AM

Have a look at http://answers.splunk.com/answers/26330/multi-line-event-field-extraction , it might help you.

0 Karma
Reply
Solved! Jump to solution

jrodriguezap
Contributor
‎08-29-2014 09:19 AM

Hi OL
A query, something that allows me to split the merged logs?
That is, after the transaction make a | where isNull(src) and those who do not have that field, I want to divide them. I tried with mvexpand but this divided field, what I want is to divide the entire log.
Maybe some command that divide through a regex

0 Karma
Reply
Solved! Jump to solution

jrodriguezap
Contributor
‎08-29-2014 08:05 AM

haha!
It was so simple that I forgot that I could be.
thank you very much

0 Karma
Reply
Solved! Jump to solution

jrodriguezap
Contributor
‎08-29-2014 06:58 AM

Hi Thanks
I need to have merged all logs that do not have the "dst" field, but must be followed showing those who do have

0 Karma
Reply
Solved! Jump to solution

jeremiahc4
Builder
‎08-29-2014 05:31 AM

this looks like a very simple transaction on the sessionid, if you don't want dst, then you could just throw a NOT in there;

(your search params) dst!=* | transaction sessionid

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-29-2014 05:15 AM

Are there any other field based on which you need to merge them?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...