Splunk Search

Is it possible to aggregate and search within aggregated results?

sohymg
New Member

My app logs multiple lines per request and each line has a "request_id" key for identification. For each request, there is an optional log line that contains a "session_id" key. How do I search to show all the log lines of a particular request which includes the "session_id" key?

Example:
request_id=1, msg=A
request_id=1, msg=B
request_id=2, msg=C, session_id=1
request_id=2, msg=D

Wanted result:
request_id=2, msg=C, session_id=1
request_id=2, msg=D

0 Karma

jkat54
SplunkTrust
SplunkTrust
| eval r=_raw
| fields - _time _raw
| makemv r delim="request_" 
| mvexpand r 
| rex field=r "id=(?<request_id>\d+)\,\s+msg=(?<msg>\w+)(\,\s+session_id=(?<session>\d+))?" 
| rex field=r mode=sed "s/^id=/request_id=/g"
| search request_id=2 
| fields r
0 Karma

sohymg
New Member

I get some rows but they are empty.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Your text says session_id but your example says session=. adonio's answer assumed the example data was correct, as opposed to your written description.

0 Karma

adonio
Ultra Champion

Hello sohymg,
indicate in your search that you are looking for events with the session field

index = <yourIndex> sourcetype = <yourSourcetype> request_id=* msg=* session=* | table _time host request_id msg session

hope it helps

0 Karma

sohymg
New Member

I tried this and there was no result. Just to clarify:

This is the entire dataset:
request_id=1, msg=A
request_id=1, msg=B
request_id=2, msg=C, session=1
request_id=2, msg=D

This is the result I need:
request_id=2, msg=C, session=1
request_id=2, msg=D

0 Karma

adonio
Ultra Champion

did you replace the values for index and sourcetype to match yours?

0 Karma

sohymg
New Member

Sorry there was some typo. I got it to work but the result is not what i want

Returned result:
request_id=2, msg=C, session=1

This is the result I need:
request_id=2, msg=C, session=1
request_id=2, msg=D

0 Karma

adonio
Ultra Champion

so to be clear, what you would like to see is: if you have a value of 1 under the session field (session=1) then you want to see all events with request_id=2. is that correct?

0 Karma

sohymg
New Member

Yes thats correct

0 Karma
Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...