Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need to treat multiple lines in log file as a single unit, joined by an element

jarrowwx
New Member
‎01-31-2011 06:50 PM

I need to index the logs for a web service. For each end-user's interactions with the system, a collection of web service calls are likely to be made. In the raw files, each is a separate line, and different sessions will be woven in together, because it is a multi-user system. The one thing they will all have in common is the session ID. For example:

13:28:09,080 01/31 0317BF7117D4C4A2F80CE25BB76F8EB8 ... ConfigurationService.lookupApplicationConfigurationProperties ...
13:28:09,086 01/31 D4CC24E705670088920490171F76A079 ... NetworkService.queryOutages ...
13:28:09,234 01/31 0317BF7117D4C4A2F80CE25BB76F8EB8 ... ConfigurationService.uivrLookupBroadcastMessages ...
13:28:09,298 01/31 D4CC24E705670088920490171F76A079 ... AppointmentService.queryAppointment ...
13:28:09,385 01/31 B5D41CFAE762291AEDD43CE424B751F8 ... IdentifyService.dtmfLookupCustomerByTN ...

What I need to do is select across multiple rows. In the above example, where the session ID starts with 0317, those lines are for one customer. I need to be able to compose a search that will treat all of those lines as being together, so I can specify criteria across different services. A single customer session may be composed of 10 services, and I need to select all of the customer sessions that included services X, Y, and Z, and for each of those services, I want to put restrictions in there, such as field X.FOO=someValue, Y.BAR=somethingElse, and Z.BLIP=argh

Is this even doable?

Thanks for the help!

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

David
Splunk Employee
Splunk Employee
‎01-31-2011 07:36 PM

It sounds like what you want is the transaction command: http://www.splunk.com/base/Documentation/latest/SearchReference/Transaction

You would need to define a field that matches your session ID using perl-compatible regular expressions with either props.conf or the rex command, such as:

YourSearch | rex field=_raw "\d\d,\d\d\d \d\d/\d\d (?<SessionID>\S*)"

That will package all the lines for a particular user as one event, and give you access to things such as:

YourSearch | rex field=_raw "\d\d,\d\d\d \d\d/\d\d (?<SessionID>\S*)" | search NetworkService.queryOutages

to find only sessions that query network service outages or: 

YourSearch | rex field=_raw "\d\d,\d\d\d \d\d/\d\d (?<SessionID>\S*)" 
  | search NetworkService.queryOutages Query.Result=Error

to get sessions where they both queried network service outages and where one of the different actions they took had an error. You also get the duration field, which tells you how long the session lasted, and the eventcount field, which tells you how many individual lines were packaged into that transaction.

If you're not familiar with PCRE syntax and rex/props.conf, you can run with what I put above, or start your search with the following:

I hope that all is helpful.

View solution in original post

Reply
Solved! Jump to solution
Solution

David
Splunk Employee
Splunk Employee
‎01-31-2011 07:36 PM

It sounds like what you want is the transaction command: http://www.splunk.com/base/Documentation/latest/SearchReference/Transaction

You would need to define a field that matches your session ID using perl-compatible regular expressions with either props.conf or the rex command, such as:

YourSearch | rex field=_raw "\d\d,\d\d\d \d\d/\d\d (?<SessionID>\S*)"

That will package all the lines for a particular user as one event, and give you access to things such as:

YourSearch | rex field=_raw "\d\d,\d\d\d \d\d/\d\d (?<SessionID>\S*)" | search NetworkService.queryOutages

to find only sessions that query network service outages or: 

YourSearch | rex field=_raw "\d\d,\d\d\d \d\d/\d\d (?<SessionID>\S*)" 
  | search NetworkService.queryOutages Query.Result=Error

to get sessions where they both queried network service outages and where one of the different actions they took had an error. You also get the duration field, which tells you how long the session lasted, and the eventcount field, which tells you how many individual lines were packaged into that transaction.

If you're not familiar with PCRE syntax and rex/props.conf, you can run with what I put above, or start your search with the following:

I hope that all is helpful.

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...