Splunk Search

data extraction from log without any links between them

Devi13
Path Finder

Hello Team,

I have logs with the below pattern

08/31/2023 8:00:00:476 am ........ count=0

08/31/2023 8:00:00:376 am ........ process started

08/31/2023 8:00:00:376 am...... XXX Process

I need the process name and the count to be displayed together but I dont have any common values/names/strings to match them.

I have 4 similar process and the count together in the logs..is there a way on how we can match them together.

Any help is much appreciated.

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @Devi13,

I suppose that at least you have the host where logs coming from and the sourcetype,

in addition, can you say that the first event is "count=0" and the last event is "XXX Process"?

if this is true, this is one of the few situation to use the transaction command:

index=your_index sourcetype=your_sourcetype ("count=0" OR "process started" OR "Process")
| transaction host startswith="count=0" endswith="Process"
| table Process count

Ciao.

Giuseppe

 

 

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @Devi13,

I suppose that at least you have the host where logs coming from and the sourcetype,

in addition, can you say that the first event is "count=0" and the last event is "XXX Process"?

if this is true, this is one of the few situation to use the transaction command:

index=your_index sourcetype=your_sourcetype ("count=0" OR "process started" OR "Process")
| transaction host startswith="count=0" endswith="Process"
| table Process count

Ciao.

Giuseppe

 

 

Devi13
Path Finder

Thank you so much all for your inputs, we were able to get the data from another set of logs.

Thank you so muchh!!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

In the olden days, I would have said computers are dumb, they can only do what you tell them to do, but with advances in AI this is becoming less true. Having said that, Splunk still requires you to tell it what to do and it can automate what you are doing. So, how would you as a human determine how these events are related?

isoutamo
SplunkTrust
SplunkTrust

Hi

It's just like @ITWhisperer said. There must be some way. how you can combine those events which belongs to one transaction. With your current example there haven't been any information about that. When you can found some common information which are on all of those then you can you try e.g. @gcusello's  way to combine those together.

I assume that there could be outputs from several process on one or more nodes which generates those log events? If there is only one node and only one process at time, then you can use @gcusello's example as is.

Best way to continue this is ask that developer add some unique transaction id (e.g uuidgen -> B49A0412-3EBB-4377-A026-D8E43EC9F7F1 different output on every run) on logs which we could use to combine transactions together.

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...