<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Transaction Command: Determine Outliers/Mismatches Only in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Transaction-Command-Determine-Outliers-Mismatches-Only/m-p/486685#M83335</link>
    <description>&lt;P&gt;I am using the transaction command in Splunk to group the events of an identical log file across two hosts.  Essentially, the field=value pairs across both hosts should be identical at all times.  From time to time, issues can issue that cause the two hosts to become out of sync.  I'd like to have a search that &lt;STRONG&gt;only&lt;/STRONG&gt; identifies transactions where the field=value pairs do not match exactly.  What would be the best way to accomplish this?&lt;/P&gt;

&lt;P&gt;For instance, using the search below groups the log files from multiple hosts into a single transaction by second.&lt;BR /&gt;
"searchterm" source="mylog.log" | transaction field maxspan=1s&lt;/P&gt;

&lt;P&gt;I want to only return events with the below pattern (mismatches)&lt;BR /&gt;
2020-01-10 17:30:00,348 INFO  field=true&lt;BR /&gt;
2020-01-10 17:30:00,351 INFO  field=false&lt;/P&gt;

&lt;P&gt;But ignore events with this pattern (identical)&lt;BR /&gt;
2020-01-10 17:30:00,348 INFO  field=true&lt;BR /&gt;
2020-01-10 17:30:00,351 INFO  field=true&lt;/P&gt;

&lt;P&gt;Or this pattern (identical)&lt;BR /&gt;
2020-01-10 17:30:00,348 INFO  field=false&lt;BR /&gt;
2020-01-10 17:30:00,351 INFO  field=false&lt;/P&gt;</description>
    <pubDate>Mon, 13 Jan 2020 19:17:53 GMT</pubDate>
    <dc:creator>bcarr12</dc:creator>
    <dc:date>2020-01-13T19:17:53Z</dc:date>
    <item>
      <title>Transaction Command: Determine Outliers/Mismatches Only</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Transaction-Command-Determine-Outliers-Mismatches-Only/m-p/486685#M83335</link>
      <description>&lt;P&gt;I am using the transaction command in Splunk to group the events of an identical log file across two hosts.  Essentially, the field=value pairs across both hosts should be identical at all times.  From time to time, issues can issue that cause the two hosts to become out of sync.  I'd like to have a search that &lt;STRONG&gt;only&lt;/STRONG&gt; identifies transactions where the field=value pairs do not match exactly.  What would be the best way to accomplish this?&lt;/P&gt;

&lt;P&gt;For instance, using the search below groups the log files from multiple hosts into a single transaction by second.&lt;BR /&gt;
"searchterm" source="mylog.log" | transaction field maxspan=1s&lt;/P&gt;

&lt;P&gt;I want to only return events with the below pattern (mismatches)&lt;BR /&gt;
2020-01-10 17:30:00,348 INFO  field=true&lt;BR /&gt;
2020-01-10 17:30:00,351 INFO  field=false&lt;/P&gt;

&lt;P&gt;But ignore events with this pattern (identical)&lt;BR /&gt;
2020-01-10 17:30:00,348 INFO  field=true&lt;BR /&gt;
2020-01-10 17:30:00,351 INFO  field=true&lt;/P&gt;

&lt;P&gt;Or this pattern (identical)&lt;BR /&gt;
2020-01-10 17:30:00,348 INFO  field=false&lt;BR /&gt;
2020-01-10 17:30:00,351 INFO  field=false&lt;/P&gt;</description>
      <pubDate>Mon, 13 Jan 2020 19:17:53 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Transaction-Command-Determine-Outliers-Mismatches-Only/m-p/486685#M83335</guid>
      <dc:creator>bcarr12</dc:creator>
      <dc:date>2020-01-13T19:17:53Z</dc:date>
    </item>
    <item>
      <title>Re: Transaction Command: Determine Outliers/Mismatches Only</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Transaction-Command-Determine-Outliers-Mismatches-Only/m-p/486686#M83336</link>
      <description>&lt;PRE&gt;&lt;CODE&gt;"searchterm" source="mylog.log" 
| streamstats time_window=1s dc(field) as flag
| where flag &amp;gt;1
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;how about this?&lt;/P&gt;</description>
      <pubDate>Mon, 13 Jan 2020 21:38:30 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Transaction-Command-Determine-Outliers-Mismatches-Only/m-p/486686#M83336</guid>
      <dc:creator>to4kawa</dc:creator>
      <dc:date>2020-01-13T21:38:30Z</dc:date>
    </item>
  </channel>
</rss>

