Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how can I find a specific field that is mentioned more than once in one log file?

dirkbaumann
Explorer
‎04-22-2013 05:54 AM

Hi,
how can I find a specific field that is mentioned more than once in one log file?
The example:
Each log file I'm going to concatenate stands the field time=... what shows me the time form the beginning to the time where they reach this exact point

I use the transaction order to build a big log file with a unique session ID to look what path they followed and how long did they need.
For one query I want to know just the finale time the application needs.

How do I just get the last time=... stand from the log file?

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎04-22-2013 06:29 AM

Not 100% sure I understand your question correctly, but I believe that you could use the mvindex() function of eval to specify the last element in the array (i.e. a multi-valued field).

http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/CommonEvalFunctions

Possibly you could also use the max() function for stats, if the time field is numeric;

... | stats max(time) by sessionID

Also, if you have built transactions based off the sessionID's, Splunk will automatically create a new field called duration which may be good enough for you.

Hope this helps,

Kristian

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...