endswith

Combining multi-line events into single transactions in Splunk

Posted on Updated on

This can be used to group together multiple lines, of which belong to the same thread. You can pipe the data to a “transaction startswith/endswith” as described below, and Splunk will group the lines into a single shared “transaction”. Then the “table” command basically creates a table of the output of the field.

NOTE: This is slow and very taxing for Splunk, so do it against a short time frame, and don’t schedule any reports to do this (the “transaction” function).

source=”/source/to/data” (host=”server1″ OR host=”server2″) | transaction startswith=”starting word” endswith=”ending word” | search field1 | table field2

Advertisement

This entry was posted in Splunk and tagged , , , .