Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Log Message formating question

msmapper
Path Finder
‎08-12-2013 04:20 PM

I am trying create some new logging formats for some new data and I want to ensure it Splunk friendly, so I can do a lot of reporting on the data. The data is basic eCommerce information, such as a single order number and many item details. The problem is when I have multiple items for one order such as,

order item   item quantity   item description
123   1       5              pencil
      2       3              dog food

I can't get all of the values for each category, no matter the logging format that i try such as a table format to use the multikv command. multi

order Amount Delivery    Billing_Email    Trans_date       Item_number Item_description Item_price Item quantity
1005   500.78 ShiptoStore test1@email.com 08/12/13 04:33PM  1           Pencils          1          1
                                                            2           Paper            1.5        2
                                                            3           Dog food         10         2

or different variations of key value pairs such as Version1

txnIds=10010, score=10001, amount=57.59, delivery=ShiptoStore,bililng_email=test@email.com, trans_date="08/12/13 02:30PM", item_number="1,2,3", item_description="pencils,paper,"dog food"", item_price="1.20,1.50,10.00", item_quantity="1,2,2"

or Version2

txnIds=10011, amount=57.59, delivery=ShiptoStore, bililng_email=test@email.com, trans_date="08/12/13 02:30PM", item_number=1, item_description=pencils, item_price=1.20, item_quantity=1, item_number=2, item_description=cups, item_price=5.20, item_quantity=5, item_number=3, item_description=shampoo, item_price=7.40, item_quantity=1,

Version1 works fine except that i would need additional regex to split all of the items in each pair and that might put things out of order if i wanted to compare items and price. Version2 creates the fields but only displays the first value, example item_number would only display the number 1 not 1, 2, 3.

Any tips or tricks would be appreciated.

Regards

0 Karma
Reply

starcher
Influencer
‎08-16-2013 04:10 AM

In the keyvalue pairs and use a pipe character for the multivalue fields. I think that will make splunk bring in those fields as mv type automatically.

0 Karma
Reply

lukejadamec
Super Champion
‎08-12-2013 04:44 PM

Have you tried the transaction function?
You would need a number unique to the transaction that is repeated for each item ordered.
If orderid was that field, then you could search for all items with something like this:
somesearch | transaction orderid | search orderid=value
You can find the transaction documentation here:
http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Transaction

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...