Reputation: 2591
In order not to log tons of context information, I want to use the fact that in splunk I can track when each context is opened/closed. For example, for given log:
2017-08-02 12:12:10.2342+00 - <A> - Enabled feature `feature.A`
2017-08-02 12:12:11.1000+00 - Some log message
2017-08-02 12:12:12.1000+00 - Another log message
2017-08-02 12:12:13.1000+00 - <B> - Enabled feature `feature.B`
2017-08-02 12:12:14.1000+00 - Third log message
2017-08-02 12:12:15.1000+00 - </A> - Disabled feature `feature.A`
2017-08-02 12:12:16.1000+00 - Fourth log message
2017-08-02 12:12:17.1000+00 - </B> - Disabled feature `feature.B`
2017-08-02 12:12:18.1000+00 - Fifth log message
... I want have the following vars in the result:
Message | Feature.A | Feature.B
--------------------|-----------|----------
Some log message | + | -
Another log message | + | -
Third log message | + | +
Fourth log message | - | +
Fifth log message | - | -
Is it possible to do in Splunk?
Upvotes: 0
Views: 872
Reputation: 207
Yes, absolutely you can! It will take a little elbow grease to make this work
Below is a search to get you going in the right direction
index=blah sourcetype=blah | transaction startswith="Disabled feature" endswith="Enabled feature" | stats values(Feature.A) values(Feature.B) by Message
You could also use eval
which will create a new field and give you the ability to assign variables within Splunk
A better approach would be to write the stateful information out to a text file each time it occurs then have Splunk do a lookup on that file and display the results. What's your end goal here? Are you looking to build a "living dashboard" showing the state of a feature?
Upvotes: 1