Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Join or something better?

tb582
Explorer
‎03-06-2012 12:29 PM

I'm new to splunk, here's my issue. I have a log file which contains the extracted fields below:
task_id
task_duration
content_owner
task_type

I'm looking to find the task_duration for two search strings "string ABC" OR "string 123" so those two lines which would return would have task_id, task_duration, and task_type. I need to use the task_id to find the content_owner as its elsewhere in the log... In the end what I want to see is:

task_id: #### content_owner: XYZ task_type: XYZ task_duration: ####
task_type: ZYX task_duration: ####

task_id: #### etc

Tags (1)
0 Karma
Reply

cramasta
Builder
‎03-06-2012 02:23 PM

Really would need to see your data to figure out the right solution but you could try something like

...| transaction task_id

OR

....| stats values by task_id

0 Karma
Reply

tb582
Explorer
‎03-06-2012 05:29 PM

ok logs sent

0 Karma
Reply

cramasta
Builder
‎03-06-2012 04:50 PM

Will you still be sending example data?

So is there one line with taskid , duration, type. Then another line with Id and owner where the id will equal taskid?

0 Karma
Reply

tb582
Explorer
‎03-06-2012 04:39 PM

Actually looking at my data again, it looks like I was slightly off... Maybe you can help ne with a bit more detail. So I still want to see the data as above but I was wrong about content_owner its not contained within the same task_id but rather Splunk will need to look for owner based on an extracted field called id.

0 Karma
Reply

cramasta
Builder
‎03-06-2012 03:11 PM

Sure send to j1621c@Yahoo.com

0 Karma
Reply

tb582
Explorer
‎03-06-2012 03:07 PM

I tried that - doesnt seem to work exactly the way I want - can I send you some examples offline?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...