Combining multi-line events into single transactions in Splunk

Posted on January 25, 2012 Updated on March 27, 2012

This can be used to group together multiple lines, of which belong to the same thread. You can pipe the data to a “transaction startswith/endswith” as described below, and Splunk will group the lines into a single shared “transaction”. Then the “table” command basically creates a table of the output of the field.

NOTE: This is slow and very taxing for Splunk, so do it against a short time frame, and don’t schedule any reports to do this (the “transaction” function).

source=”/source/to/data” (host=”server1″ OR host=”server2″) | transaction startswith=”starting word” endswith=”ending word” | search field1 | table field2

This entry was posted in Splunk and tagged endswith, splunk, startswith, table.

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

dmilltech

technical solutions for systems engineers