Splunk Search

Is it possible to aggregate and search within aggregated results?

New Member

My app logs multiple lines per request and each line has a "requestid" key for identification. For each request, there is an optional log line that contains a "sessionid" key. How do I search to show all the log lines of a particular request which includes the "session_id" key?

Example:
requestid=1, msg=A
request
id=1, msg=B
requestid=2, msg=C, sessionid=1
request_id=2, msg=D

Wanted result:
requestid=2, msg=C, sessionid=1
request_id=2, msg=D

0 Karma

SplunkTrust
SplunkTrust
| eval r=_raw
| fields - _time _raw
| makemv r delim="request_" 
| mvexpand r 
| rex field=r "id=(?<request_id>\d+)\,\s+msg=(?<msg>\w+)(\,\s+session_id=(?<session>\d+))?" 
| rex field=r mode=sed "s/^id=/request_id=/g"
| search request_id=2 
| fields r
0 Karma

New Member

I get some rows but they are empty.

0 Karma

SplunkTrust
SplunkTrust

Your text says session_id but your example says session=. adonio's answer assumed the example data was correct, as opposed to your written description.

0 Karma

SplunkTrust
SplunkTrust

Hello sohymg,
indicate in your search that you are looking for events with the session field

index = <yourIndex> sourcetype = <yourSourcetype> request_id=* msg=* session=* | table _time host request_id msg session

hope it helps

0 Karma

New Member

I tried this and there was no result. Just to clarify:

This is the entire dataset:
requestid=1, msg=A
request
id=1, msg=B
requestid=2, msg=C, session=1
request
id=2, msg=D

This is the result I need:
requestid=2, msg=C, session=1
request
id=2, msg=D

0 Karma

SplunkTrust
SplunkTrust

did you replace the values for index and sourcetype to match yours?

0 Karma

New Member

Sorry there was some typo. I got it to work but the result is not what i want

Returned result:
request_id=2, msg=C, session=1

This is the result I need:
requestid=2, msg=C, session=1
request
id=2, msg=D

0 Karma

SplunkTrust
SplunkTrust

so to be clear, what you would like to see is: if you have a value of 1 under the session field (session=1) then you want to see all events with request_id=2. is that correct?

0 Karma

New Member

Yes thats correct

0 Karma