Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

search across multiple events and present it in report

runiyal
Path Finder
‎03-14-2016 10:36 AM

Hello,

I have a logfile with events -

2016-03-14 12:44:44,105 INFO [catalina-exec-5] Initiate UploadProcess
---Multiple Lines---
2016-03-14 12:44:45,147 [catalina-exec-5] Uploading file to system from stream.
---Multiple Lines---
2016-03-14 12:44:55,246 [catalina-exec-5] File already exists in the location
---Multiple Lines---
Caused by: org.springframework.dao.DuplicateKeyException:

I need to create a report that Looks at "UploadProcess" from the First event and then either "File already exists in the location" OR "DuplicateKeyException" from other events.

How to search across multiple events and present it in report

Thanks!

Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-14-2016 11:24 AM

Assuming "File already exists in the location" and "DuplicateKeyException" are both present in the same set of events, the transaction command should do the job for you.

your search | transaction startswith="Initiate UploadProcess" endswith="File already exists in the location" | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

runiyal
Path Finder
‎03-15-2016 07:18 AM

Hello Rich,

This query is working -

your search | transaction startswith="Initiate UploadProcess" endswith="File already exists in the location" | timechart count by day

Problem is it's very slow. How can we tune this query.

Thanks!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-15-2016 09:36 AM

How slow is "very slow"? If you're searching a large amount of data then you should expect it to be slow.
An entire course could be taught on tuning queries (not by me)but here are some tips. Try to make your base search as specific as possible so unneeded events are ignored. Avoid "all time" and "index=*" searches. Click on "Inspect Job" after your search completes to see where it is spending the most time.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-14-2016 11:03 AM

Is there any identifier linking the event Caused by: org.springframework.dao.DuplicateKeyException: to the event 2016-03-14 12:44:44,105 INFO [catalina-exec-5] Initiate UploadProcess?

Obligatory: https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo...

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...