Splunk Search

search across multiple events and present it in report

Explorer

Hello,

I have a logfile with events -

2016-03-14 12:44:44,105 INFO [catalina-exec-5] Initiate UploadProcess
---Multiple Lines---
2016-03-14 12:44:45,147 [catalina-exec-5] Uploading file to system from stream.
---Multiple Lines---
2016-03-14 12:44:55,246 [catalina-exec-5] File already exists in the location
---Multiple Lines---
Caused by: org.springframework.dao.DuplicateKeyException:

I need to create a report that Looks at "UploadProcess" from the First event and then either "File already exists in the location" OR "DuplicateKeyException" from other events.

How to search across multiple events and present it in report

Thanks!

Tags (2)
0 Karma

SplunkTrust
SplunkTrust

Assuming "File already exists in the location" and "DuplicateKeyException" are both present in the same set of events, the transaction command should do the job for you.

your search | transaction startswith="Initiate UploadProcess" endswith="File already exists in the location" | ... 
---
If this reply helps you, an upvote would be appreciated.
0 Karma

Explorer

Hello Rich,

This query is working -

your search | transaction startswith="Initiate UploadProcess" endswith="File already exists in the location" | timechart count by day

Problem is it's very slow. How can we tune this query.

Thanks!

0 Karma

SplunkTrust
SplunkTrust

How slow is "very slow"? If you're searching a large amount of data then you should expect it to be slow.
An entire course could be taught on tuning queries (not by me)but here are some tips. Try to make your base search as specific as possible so unneeded events are ignored. Avoid "all time" and "index=*" searches. Click on "Inspect Job" after your search completes to see where it is spending the most time.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

SplunkTrust
SplunkTrust

Is there any identifier linking the event Caused by: org.springframework.dao.DuplicateKeyException: to the event 2016-03-14 12:44:44,105 INFO [catalina-exec-5] Initiate UploadProcess?

Obligatory: https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo...

0 Karma