Community:Example of combining macro search with form earch
From Splunk Wiki
Example of combining transaction search with macro and form search
REQUEST:
Report on a field from a "request" message if and only if the matching "response" message contains a certain error message.
This is a totally fake example, but it's simple enough to get the point across.
LOG:
request: transaction_id=12444 accountNumber=987654321 action=upgrade
response: transaction_id=12444 error="already closed"
request: transaction_id=55555 accountNumber=987654321 action=upgrade
response: transaction_id=55555 error="success"
request: transaction_id=44444 accountNumber=987654311 action=upgrade
response: transaction_id=44444 error="already closed"
request: transaction_id=12244 accountNumber=987654311 action=upgrade
response: transaction_id=12244 error="success"
STEPS TO CREATE THE SEARCH:
1. Search for your requested events. (I just used a search by source)
2. Pipe to the transaction command based on the same transaction_id field.
3. Search again just for the events with the error="already closed"
- source="/Users/mzax/tmp/cox2.log" | transaction fields=transaction_id | search error="already closed"
4. Change the error field to a macro field.
- source="/Users/mzax/tmp/cox2.log" | transaction fields=transaction_id | search $error$
5. Save the search. (I called it try_cox_trans)
Now you can run this with any error message that you want.
- | savedsearch try_cox_trans error="already closed"
You'll get only the grouped events that has the error=<something> field.
Then if you want reports on those, you can pipe to the chart command based on any field from the events.
- source="/Users/mzax/tmp/cox4.log" | transaction fields=transaction_id | search $error$ | chart count(action) by accountNumber
You can save this search and use it as a form search. i.e. select this from the saved search list.