Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Log Message formating question

msmapper
Path Finder
‎08-12-2013 04:20 PM

I am trying create some new logging formats for some new data and I want to ensure it Splunk friendly, so I can do a lot of reporting on the data. The data is basic eCommerce information, such as a single order number and many item details. The problem is when I have multiple items for one order such as,

order item   item quantity   item description
123   1       5              pencil
      2       3              dog food

I can't get all of the values for each category, no matter the logging format that i try such as a table format to use the multikv command. multi

order Amount Delivery    Billing_Email    Trans_date       Item_number Item_description Item_price Item quantity
1005   500.78 ShiptoStore test1@email.com 08/12/13 04:33PM  1           Pencils          1          1
                                                            2           Paper            1.5        2
                                                            3           Dog food         10         2

or different variations of key value pairs such as Version1

txnIds=10010, score=10001, amount=57.59, delivery=ShiptoStore,bililng_email=test@email.com, trans_date="08/12/13 02:30PM", item_number="1,2,3", item_description="pencils,paper,"dog food"", item_price="1.20,1.50,10.00", item_quantity="1,2,2"

or Version2

txnIds=10011, amount=57.59, delivery=ShiptoStore, bililng_email=test@email.com, trans_date="08/12/13 02:30PM", item_number=1, item_description=pencils, item_price=1.20, item_quantity=1, item_number=2, item_description=cups, item_price=5.20, item_quantity=5, item_number=3, item_description=shampoo, item_price=7.40, item_quantity=1,

Version1 works fine except that i would need additional regex to split all of the items in each pair and that might put things out of order if i wanted to compare items and price. Version2 creates the fields but only displays the first value, example item_number would only display the number 1 not 1, 2, 3.

Any tips or tricks would be appreciated.

Regards

0 Karma
Reply

starcher
Influencer
‎08-16-2013 04:10 AM

In the keyvalue pairs and use a pipe character for the multivalue fields. I think that will make splunk bring in those fields as mv type automatically.

0 Karma
Reply

lukejadamec
Super Champion
‎08-12-2013 04:44 PM

Have you tried the transaction function?
You would need a number unique to the transaction that is repeated for each item ordered.
If orderid was that field, then you could search for all items with something like this:
somesearch | transaction orderid | search orderid=value
You can find the transaction documentation here:
http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Transaction

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...