Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Tips on Formulating a query, where I have known text's from two different log lines

somnath_tm
New Member
‎05-05-2016 12:57 PM

A splunk novice question
We have logs and the example is something like this
2016-05-05T09:05:50.610050-07:00 Correlation-Id="XYZ" category="" request body :{}

2016-05-05T09:05:51.610050-07:00 Correlation-Id="XYZ" category="" response body :{}

I want to query in such a way that I am looking for a specific text in response body (that would be something like index=abc host=myserver "ERROR") as well the request body. So that I get a consolidated list of all the correlation-Ids which I can use.

Please NOTE: The request and response are in two different log lines

Is such query possible ?

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-05-2016 03:26 PM

Find specific text is as simple as putting the desired text in quotes.

index=foo "bar"

will find all instance of "bar" in any event in the "foo" index.

To narrow it down to events containing either "request body" or "response body":

index=foo "bar" ("request body" OR "response body")
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top