Splunk Search

Tips on Formulating a query, where I have known text's from two different log lines

somnath_tm
New Member

A splunk novice question
We have logs and the example is something like this
2016-05-05T09:05:50.610050-07:00 Correlation-Id="XYZ" category="" request body :{}

2016-05-05T09:05:51.610050-07:00 Correlation-Id="XYZ" category="" response body :{}

I want to query in such a way that I am looking for a specific text in response body (that would be something like index=abc host=myserver "ERROR") as well the request body. So that I get a consolidated list of all the correlation-Ids which I can use.

Please NOTE: The request and response are in two different log lines

Is such query possible ?

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Find specific text is as simple as putting the desired text in quotes.

index=foo "bar"

will find all instance of "bar" in any event in the "foo" index.

To narrow it down to events containing either "request body" or "response body":

index=foo "bar" ("request body" OR "response body")
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...