Search code examples
splunksplunk-query

Splunk: combine fields from multiple lines

Context

Say I have logs structured this way

TID: http-incoming-972453 >> POST /token HTTP/1.1 {org.apache.synapse.transport.http.headers} # I want this
TID: http-incoming-972453 >> Accept: application/json {org.apache.synapse.transport.http.headers}
TID: http-incoming-972453 >> Host: some.organization.com {org.apache.synapse.transport.http.headers}
.....
TID: http-outgoing-8816 >> POST /oauth2/token HTTP/1.1 {org.apache.synapse.transport.http.headers}
TID: http-outgoing-8816 >> Content-Type: application/x-www-form-urlencoded {org.apache.synapse.transport.http.headers}
TID: http-outgoing-8816 >> Transfer-Encoding: chunked {org.apache.synapse.transport.http.headers}
TID: http-outgoing-8816 >> Host: some.other.organization.intra:9444 {org.apache.synapse.transport.http.headers}
TID: http-outgoing-8816 >> Connection: Keep-Alive {org.apache.synapse.transport.http.headers}
TID: http-outgoing-8816 >> User-Agent: Synapse-PT-HttpComponents-NIO {org.apache.synapse.transport.http.headers}
TID: http-outgoing-8816 << HTTP/1.1 200 OK {org.apache.synapse.transport.http.headers}
.....
TID: http-incoming-972453 << HTTP/1.1 200 OK {org.apache.synapse.transport.http.headers} # with this
TID: http-incoming-972453 << X-Frame-Options: DENY {org.apache.synapse.transport.http.headers}
.....

and I have tuned props.conf so that

TID: http-incoming-972453 >> POST /token HTTP/1.1 {org.apache.synapse.transport.http.headers}

ends up indexed with the following fields

  • httpRequestId: 972453
  • ressourceName: /token

and

TID: http-incoming-972453 << HTTP/1.1 200 OK {org.apache.synapse.transport.http.headers}

with

  • httpRequestId: 972453
  • httpStatus: 200

I am looking for a way to count requests, aggregated by httpStatus and ressourceName using httpRequestId as a join

Attempts

Since information about ressourceName and httpStatus occur on different events, I thought of using a join. This does not give any results

index=* role="gw" httpAction="incoming" | join type=outer httpRequestId [fields ressourceName,httpStatus] | stats count by ressourceName,httpStatus

While reading Splunk documentation, I also came across selfjoin, results of which where only partial

index=* role="gw" httpAction="incoming" | selfjoin httpRequestId | stats count by ressourceName,httpStatus

How can I combine fields from multiple events to end up with something like

/somewhere           200         30
/somewhere           403         1
/somewhere/else      200         15
Solution

  • Your use of join was incorrect. The subsearch must be a valid search, starting with "search" or "|".

    Try the stats command.

    index=foo role=gw httpAction="Incoming
| stats values(*) as * by httpRequestId