Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

data extraction from log without any links between them

Devi13
Path Finder
‎08-31-2023 06:13 AM

Hello Team,

I have logs with the below pattern

08/31/2023 8:00:00:476 am ........ count=0

08/31/2023 8:00:00:376 am ........ process started

08/31/2023 8:00:00:376 am...... XXX Process

I need the process name and the count to be displayed together but I dont have any common values/names/strings to match them.

I have 4 similar process and the count together in the logs..is there a way on how we can match them together.

Any help is much appreciated.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-31-2023 02:43 PM

Hi @Devi13,

I suppose that at least you have the host where logs coming from and the sourcetype,

in addition, can you say that the first event is "count=0" and the last event is "XXX Process"?

if this is true, this is one of the few situation to use the transaction command:

index=your_index sourcetype=your_sourcetype ("count=0" OR "process started" OR "Process")
| transaction host startswith="count=0" endswith="Process"
| table Process count

Ciao.

Giuseppe

 

 

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-31-2023 02:43 PM

Hi @Devi13,

I suppose that at least you have the host where logs coming from and the sourcetype,

in addition, can you say that the first event is "count=0" and the last event is "XXX Process"?

if this is true, this is one of the few situation to use the transaction command:

index=your_index sourcetype=your_sourcetype ("count=0" OR "process started" OR "Process")
| transaction host startswith="count=0" endswith="Process"
| table Process count

Ciao.

Giuseppe

 

 

Reply
Solved! Jump to solution

Devi13
Path Finder
‎09-01-2023 12:21 AM

Thank you so much all for your inputs, we were able to get the data from another set of logs.

Thank you so muchh!!

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-31-2023 07:29 AM

In the olden days, I would have said computers are dumb, they can only do what you tell them to do, but with advances in AI this is becoming less true. Having said that, Splunk still requires you to tell it what to do and it can automate what you are doing. So, how would you as a human determine how these events are related?

Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎08-31-2023 11:30 PM

Hi

It's just like @ITWhisperer said. There must be some way. how you can combine those events which belongs to one transaction. With your current example there haven't been any information about that. When you can found some common information which are on all of those then you can you try e.g. @gcusello's  way to combine those together.

I assume that there could be outputs from several process on one or more nodes which generates those log events? If there is only one node and only one process at time, then you can use @gcusello's example as is.

Best way to continue this is ask that developer add some unique transaction id (e.g uuidgen -> B49A0412-3EBB-4377-A026-D8E43EC9F7F1 different output on every run) on logs which we could use to combine transactions together.

r. Ismo

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...