Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

data extraction from log without any links between them

Devi13
Path Finder
‎08-31-2023 06:13 AM

Hello Team,

I have logs with the below pattern

08/31/2023 8:00:00:476 am ........ count=0

08/31/2023 8:00:00:376 am ........ process started

08/31/2023 8:00:00:376 am...... XXX Process

I need the process name and the count to be displayed together but I dont have any common values/names/strings to match them.

I have 4 similar process and the count together in the logs..is there a way on how we can match them together.

Any help is much appreciated.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-31-2023 02:43 PM

Hi @Devi13,

I suppose that at least you have the host where logs coming from and the sourcetype,

in addition, can you say that the first event is "count=0" and the last event is "XXX Process"?

if this is true, this is one of the few situation to use the transaction command:

index=your_index sourcetype=your_sourcetype ("count=0" OR "process started" OR "Process")
| transaction host startswith="count=0" endswith="Process"
| table Process count

Ciao.

Giuseppe

 

 

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-31-2023 02:43 PM

Hi @Devi13,

I suppose that at least you have the host where logs coming from and the sourcetype,

in addition, can you say that the first event is "count=0" and the last event is "XXX Process"?

if this is true, this is one of the few situation to use the transaction command:

index=your_index sourcetype=your_sourcetype ("count=0" OR "process started" OR "Process")
| transaction host startswith="count=0" endswith="Process"
| table Process count

Ciao.

Giuseppe

 

 

Reply
Solved! Jump to solution

Devi13
Path Finder
‎09-01-2023 12:21 AM

Thank you so much all for your inputs, we were able to get the data from another set of logs.

Thank you so muchh!!

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-31-2023 07:29 AM

In the olden days, I would have said computers are dumb, they can only do what you tell them to do, but with advances in AI this is becoming less true. Having said that, Splunk still requires you to tell it what to do and it can automate what you are doing. So, how would you as a human determine how these events are related?

Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎08-31-2023 11:30 PM

Hi

It's just like @ITWhisperer said. There must be some way. how you can combine those events which belongs to one transaction. With your current example there haven't been any information about that. When you can found some common information which are on all of those then you can you try e.g. @gcusello's  way to combine those together.

I assume that there could be outputs from several process on one or more nodes which generates those log events? If there is only one node and only one process at time, then you can use @gcusello's example as is.

Best way to continue this is ask that developer add some unique transaction id (e.g uuidgen -> B49A0412-3EBB-4377-A026-D8E43EC9F7F1 different output on every run) on logs which we could use to combine transactions together.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...