Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

transaction or join where the search field changes but another field is common

stewartevans
Explorer
‎05-20-2015 11:12 PM

Hi I have a log with entries similar to below

11:32:12,988 INFO [LOG TYPE: REQUEST] [REQUEST ID:46783e96-e146-4d35-9a3a-5ff95226a8bb] ...
11:32:14,364 SEVERE [LOG TYPE:EXCEPTION] [REQUEST ID:46783e96-e146-4d35-9a3a-5ff95226a8bb] ...
11:32:14,364 INFO [LOG TYPE:RESPONSE] [REQUEST ID:46783e96-e146-4d35-9a3a-5ff95226a8bb] ...

What I'm looking for is a search which displays all 3 which have the same REQUEST ID if it finds a SEVERE or LOG TYPE:EXCEPTION

Transaction almost sounds like what I want so I tried the following

sourcetype=cas SEVERE | transaction RequestId maxspan=5s maxpause=5s

However this only brings back the SEVERE entry.

Is there a way to do this with transaction or should I be looking at JOIN?

Thanks for your assistance

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

acharlieh
Influencer
‎05-20-2015 11:28 PM

Comment for now as I'm half asleep spinning a theory:

One thought is search for all records with a RequestId, do the transaction, and then use either a search or where command to filter the results to only include those. e.g.

sourcetype=cas RequestId=* | transaction RequestId ...   | search SEVERE

View solution in original post

Reply
Solved! Jump to solution
Solution

acharlieh
Influencer
‎05-20-2015 11:28 PM

Comment for now as I'm half asleep spinning a theory:

One thought is search for all records with a RequestId, do the transaction, and then use either a search or where command to filter the results to only include those. e.g.

sourcetype=cas RequestId=* | transaction RequestId ...   | search SEVERE
Reply
Solved! Jump to solution

stewartevans
Explorer
‎05-20-2015 11:32 PM

acharlieh you are a genius! It works!!

Reply
Solved! Jump to solution

acharlieh
Influencer
‎05-20-2015 11:34 PM

Well excellent then! converted comment to an answer.

0 Karma
Reply
Solved! Jump to solution

stewartevans
Explorer
‎05-20-2015 11:36 PM

Cheers, thanks for such a quick response

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...