Splunk Search

how can I find a specific field that is mentioned more than once in one log file?

dirkbaumann
Explorer

Hi,
how can I find a specific field that is mentioned more than once in one log file?
The example:
Each log file I'm going to concatenate stands the field time=... what shows me the time form the beginning to the time where they reach this exact point

I use the transaction order to build a big log file with a unique session ID to look what path they followed and how long did they need.
For one query I want to know just the finale time the application needs.

How do I just get the last time=... stand from the log file?

Tags (1)
0 Karma

kristian_kolb
Ultra Champion

Not 100% sure I understand your question correctly, but I believe that you could use the mvindex() function of eval to specify the last element in the array (i.e. a multi-valued field).

http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/CommonEvalFunctions

Possibly you could also use the max() function for stats, if the time field is numeric;

... | stats max(time) by sessionID

Also, if you have built transactions based off the sessionID's, Splunk will automatically create a new field called duration which may be good enough for you.

Hope this helps,

Kristian

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>