Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

relating fields in multiple log format

irfy
New Member
‎07-06-2014 01:32 AM

I have the following three different types of logs coming into a single source-type

<189>Jul 06 15:38:54|100.888.94.888|sport=64920|sid=11635419210657705766|XX.XX.XX.XX|80|rt=9

<190>Jul 06 15:38:54|10.39.192.90|100.888.94.888|sport=64920|sid=11635419210657705766|Mozilla/5.0 (Windows NT 5.1; rv:30.0) Gecko/20100101 Firefox/30.0||SWEBS=1&SWECmd=InvokeMethod&SWEService=Message+Bar&SWEMethod=UpdatePrefMsg&SWEIPS=%400%600%601%600%60%603%60%60SWEBS%601%60&SWERPC=1&SRN=clPdw5go7eScsXlZ5zpUAlw4LuUxc1dUg1JRlUYnw8gb&SWEC=30&SWETS=1404625134263

<132>Jul 6 15:38:54 lbs241-mgt.com.au ASM:2014-07-06 15:38:54|THISISUSERNAME|ssid=c93ffac13b7f4368|sport=64920|sid=11635419210657705766|100.888.94.888|10.39.192.90|POST|/ppopenui/start.swe<SWECmd=InvokeMethod>|200|alerted

a) How do i relate using the "sid" :- for example for SWEService="Message*" the response time is in the line starting with "<189>" in the field "rt=" and the User who invoked this is in the line starting with "<132>" where i have put "THISISUSERNAME"(note there is no field name for username.)

Note:- All the three lines have constant formatting i.e. its a pipe delimited log file with specific values in each fields.
Also "<180>" , "<190>","<132>" are constant values that distinguishes the three type of logs.

What i am trying to do is to find the Avg response time(i.e. rt) plus another report of which user has viewed with SWEService

Appreciate help.
REgards Irfan

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-06-2014 06:16 AM

You'll want to combine those events into a transaction:

sourcetype=whatever and other filters for your events | transaction sid maxspan=1s | timechart avg(rt) by SWEService

Similarly you can run other reports, such as | timechart values(user) by SWEService. I've assumed all events for one transaction happen at roughly the same time with maxspan=1s, that may or may not be correct for your case - adjust the span as required, or look at the other settings at http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Transaction

That's assuming you already have the relevant fields extracted. rt, sid, and SWEService should be auto-extracted, you'd probably need a regular expression for the user, e.g. ^\<132\>[^|]+\|(?<user>[^|]+).

0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...