Find a user ID across logs
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Find a user ID across logs
You have gotten a call from a user who is trying to activate a new phone, but is unable to do so. You have the account number from the user, 6098230878, which you know appears in your web logs. However, since you have 30 webservers, you need a quick way to find the user across all those logs.
1. Search on the account number. Since we have set the data up to go to the test index, make sure to mention that index in the search. Since there might be more text associated with the number, use the asterisk (*) wildcard to make sure to catch it wherever it occurs:
index="test" *6098230878*Note: If you enter multiple strings in your search, Splunk assumes a Boolean AND and looks only for events that match all conditions. Splunk also recognizes the Boolean OR (must be upper case), Boolean NOT, and the asterisk (*) wildcard for an arbitrary string. For more about searches, see the Search tutorial in the User manual.
2. Set the time range to 4 hours (in case the caller was on hold a long time) and run the search.
3. Look at your events. This search shows all events in the test index that contain the string 6098230878 anywhere in the event. You can see that 6098230878 is highlighted in each event. There was an error at 5:56:45.233 PM.
The next topic shows how to drill down into that instant in time to see what else was happening.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.