×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
fw42
New Member
Member since: ‎04-24-2015
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎04-24-2015
View All

Re: Automatically group events into transactions, ...

by in Splunk Search
‎04-27-2015 12:26 PM
‎04-27-2015 12:26 PM
I don't see how sorting helps here or has anything to do with it. I want, by default, all lines that were logged during a request, to show up as one event in Splunk. I almost never want to search for only a single line, we always need search results to include the full context of a request. Also I want this behaviour by default (not adding additional sort or transaction commands or anything alike). Right now we solve this by using regular expressions to determine where an event starts and ends, but that solution is incredibly hacky on so many levels and I feel like there must be a cleaner, more "context free", solution. ... View more

Re: Automatically group events into transactions, ...

by in Splunk Search
‎04-24-2015 02:33 PM
‎04-24-2015 02:33 PM
Thanks for the quick reply. We use Splunk mostly for debugging, not for generating statistics, and we found that we usually search for certain keywords and almost always want the "full context" (all lines that were logged by that event, not just one). Also we found the "transaction" command (to group events together after they were already indexed) to be very slow (compared to sending multi-line events to the indexer). So unfortunately, I don't think that setting up a macro to do this is the right solution for us, both from a usability and a performance perspective. ... View more

Automatically group events into transactions, or: ...

by in Splunk Search
‎04-24-2015 01:54 PM
‎04-24-2015 01:54 PM
Hey folks, I have a web application that logs several log lines per request. Each line is tagged with the request id of that request, so lines that were logged during the same request are tagged with the same request id. Example: request_id=1 things are happening request_id=1 bla bla request_id=2 things are happening over here too request_id=1 request is done request_id=2 request is done Is it possible to "aggregate" those lines into two events (one for request_id=1 and one for request_id=2)? Please note that I want to do the aggregation before indexing, not at search time (I don't want my staff to use things like the "transaction" command for every single query they make, just to see all lines of a request). I basically want this "transaction" behaviour by default. In my example, the logs are interweaved. If it makes my Splunk problems simpler, I can work around that by buffering all lines before logging them, but I would still like to aggregate them based on request_id (not based on ugly regular expressions for splitting things - I would like to make things as context free as possible and not depend on knowledge about the actual content (like known keywords or other similar hacks)). Thanks in advance Flo ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM