Splunk Search

complicated subsearches

Path Finder

I have jboss logs that print a message size everytime jboss restarts. The message size is different everytime jboss starts and a message is displayed:

2010-09-28 02:52:04,992 INFO messageSize=4194304bytes

I have a field extraction for the messageSize.

What I want to do now is pull this kind of log and determine what the message size is based upon the last time jboss started since the log (in case this before 04:43)

2010-09-29 04:43:22,836 INFO Request information [requestid=364a05b7-2beb-4c68-8459-52e6fc4612b3]

I am able to pull one request and it's message size using the following splunk query: (Although I can't get the request id printed in the table)

sourcetype="server09282010" [search sourcetype="server09282010" 364a05b7-2beb-4c68-8459-52e6fc4612b3 | head 1 | rename _time as latest| fields latest] |   WHERE MessageSizeBytes NOT NULL | head 1 | table _time MessageSizeBytes

What i really want is a table with requestid and Message size (based upon the time when jboss was started)

I hope this makes sense.. it is a complicated query.

Thanks!

Tags (1)
0 Karma

Super Champion

I'm not 100% sure that I fully understand what you are trying to do here, one possibility is to use transaction search command:

sourcetype="server09282010" | transaction startswith=(INFO messageSize) mvlist=requestid | search 364a05b7-2beb-4c68-8459-52e6fc4612b3

you may be able to open the search timeframe slightly, then use stats to pull the values from across events, off the top of my head, I don't know if a specific "latest" value is inclusive of that exact timestamp, if it is then the -1 isn't needed... (This may need some tweaking...)

sourcetype="server09282010" [search sourcetype="server09282010" 364a05b7-2beb-4c68-8459-52e6fc4612b3 | head 1 | eval latest(_time-1) | fields latest] | search MessageSizeBytes=* | head 1 | stats min(_time), values(requestid), list(MessageSizeBytes)
0 Karma

Super Champion

You're right about the where clause, that's a new one on me. I did look in the docs and I didn't see that syntax, but its possible I missed it. In any case, I updated my answer and removed that comment.

0 Karma

Path Finder

I got a transaction working to split out into 5 transaction statements for the 5 times jboss restarted and I can see the requestids in chunks.. is there a way to break those out?

0 Karma

Path Finder

The where does work as expected.. My main problem is getting a listing of all request ids with the message size (I am able to get one using the query above) I am trying the transaction approach to group everytime jboss was started but I don't think it is going to work for me

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!