Splunk Search

extract fields from multiple events.

valivarthiramu
New Member

Below are my events.
Event1:contains Messages Id and Status
Event2: contains Messages Id and Origin
Event3: contains Messages Id Event Type and number of events in single messages
Event4: contains Messages Id Before event
Event5: contains Messages Id and Number of events from mq.

My requirement is write query on below mentioned splunk events to display number of events from a single message(Event3) and Event Type(Event3) and number of Before events(Event 4) and number of events from mq(Event5) and Origin of Message(Event2) and status of Message(Event1)

Can some one help me on best way to write query.

Event1:
314 <14>1 2020-05-08T06:32:27.152225+00:00 5f6af747-fc9d-45a2-9a06-e79e57d32b10 [APP/PROC/WEB/0] - - INFO cf_ip=10.19.148.194 cf_inst=0 d_type=mon [bank-container-4] BankListener:299 - Message id: ID:c3e2d840c3d9c4c14040404040404040d7e2d71e0157ccd6 , status: CONFIRMED

Event2:
373 <14>1 2020-05-08T06:32:27.144325+00:00 5f6af747-fc9d-45a2-9a06-e79e57d32b10 [APP/PROC/WEB/0] - - INFO  cf_ip=10.19.148.194 cf_inst=0 d_type=mon [bank-container-4] MonetaryListener:294 - dvCID: aee7de40-90f5-11ea-a289-65afed7166d5, Message id: ID:c3e2d840c3d9c4c14040404040404040d7e2d71e0157ccd6 Origin: MQ.DEV.BANK

Event3:
495 <14>1 2020-05-08T06:32:26.93318+00:00 5f6af747-fc9d-45a2-9a06-e79e57d32b10 [APP/PROC/WEB/0] - - INFO  cf_ip=10.19.148.194 cf_inst=0 d_type=mon [Kafkapublish-2] Kafkapublish$KafkapublishCommand:164 - Message id: ID:c3e2d840c3d9c4c14040404040404040d7e2d71e0157ccd6, EventType: SAVINGS, dvCID: aee7de40-90f5-11ea-a289-65afed7166d5, Num Events: 1, JMS TS: Fri May 08 02:32:26 EDT 2020, DOM TS: Fri May 08 02:32:26 EDT 2020, Kafka TS: Fri May 08 02:32:26 EDT 2020

Event4:
326 <14>1 2020-05-08T06:32:26.92776+00:00  5f6af747-fc9d-45a2-9a06-e79e57d32b10 [APP/PROC/WEB/0] - - INFO  cf_ip=10.19.148.194 cf_inst=0 d_type=mon [bank-container-container-4] BankListener:439 - Before event, Message id: ID:c3e2d840c3d9c4c14040404040404040d7e2d71e0157ccd6 / Bank: 123

313 <14>1 2020-05-08T06:32:26.405266+00:00  5f6af747-fc9d-45a2-9a06-e79e57d32b10 [APP/PROC/WEB/0] - - INFO  cf_ip=10.19.148.194 cf_inst=0 d_type=mon [bank-container-container-4] BankListener:408 - Message id: ID:c3e2d840c3d9c4c14040404040404040d7e2d71e0157ccd6, events from mq: 2
0 Karma

richgalloway
SplunkTrust
SplunkTrust

This may help.

index=foo
| rex "Message id: ID:(?<MessageID>\w+)"
| eval msgType = case(searchmatch("status:"),"Status", searchmatch("Origin:"), "Origin", searchmatch("Before event"), "Before event", searchmatch("events from mq:"), "Events from MQ", 1==1, "Single message")
| stats count by msgType, MessageID
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...