Splunk Search

Is it possible to aggregate and search within aggregated results?

sohymg
New Member

My app logs multiple lines per request and each line has a "request_id" key for identification. For each request, there is an optional log line that contains a "session_id" key. How do I search to show all the log lines of a particular request which includes the "session_id" key?

Example:
request_id=1, msg=A
request_id=1, msg=B
request_id=2, msg=C, session_id=1
request_id=2, msg=D

Wanted result:
request_id=2, msg=C, session_id=1
request_id=2, msg=D

0 Karma

jkat54
SplunkTrust
SplunkTrust
| eval r=_raw
| fields - _time _raw
| makemv r delim="request_" 
| mvexpand r 
| rex field=r "id=(?<request_id>\d+)\,\s+msg=(?<msg>\w+)(\,\s+session_id=(?<session>\d+))?" 
| rex field=r mode=sed "s/^id=/request_id=/g"
| search request_id=2 
| fields r
0 Karma

sohymg
New Member

I get some rows but they are empty.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Your text says session_id but your example says session=. adonio's answer assumed the example data was correct, as opposed to your written description.

0 Karma

adonio
Ultra Champion

Hello sohymg,
indicate in your search that you are looking for events with the session field

index = <yourIndex> sourcetype = <yourSourcetype> request_id=* msg=* session=* | table _time host request_id msg session

hope it helps

0 Karma

sohymg
New Member

I tried this and there was no result. Just to clarify:

This is the entire dataset:
request_id=1, msg=A
request_id=1, msg=B
request_id=2, msg=C, session=1
request_id=2, msg=D

This is the result I need:
request_id=2, msg=C, session=1
request_id=2, msg=D

0 Karma

adonio
Ultra Champion

did you replace the values for index and sourcetype to match yours?

0 Karma

sohymg
New Member

Sorry there was some typo. I got it to work but the result is not what i want

Returned result:
request_id=2, msg=C, session=1

This is the result I need:
request_id=2, msg=C, session=1
request_id=2, msg=D

0 Karma

adonio
Ultra Champion

so to be clear, what you would like to see is: if you have a value of 1 under the session field (session=1) then you want to see all events with request_id=2. is that correct?

0 Karma

sohymg
New Member

Yes thats correct

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...