https://community.splunk.com/t5/Alerting/Check-first-and-last-events-in-particular-transaction-and/m-p/550837#M10481 <P>If all the events for the same transaction have the same unique transaction id, it is easy to use that as the correlation id to gather events together. Then check to see if the last event meets your criteria for an alert to be raised.</P> Fri, 07 May 2021 14:04:31 GMT ITWhisperer 2021-05-07T14:04:31Z https://community.splunk.com/t5/Alerting/Check-first-and-last-events-in-particular-transaction-and/m-p/550834#M10479 <P>I am new to splunk. Please help me with the below content.<BR />I need to check first and last events of particular transaction and alert should be triggered if the sequence is not followed or any process stopped in middle.<BR />How can i do that ?<BR />Can anyone please help me on the same?<BR />Thanks in Advance</P> Fri, 07 May 2021 13:52:16 GMT https://community.splunk.com/t5/Alerting/Check-first-and-last-events-in-particular-transaction-and/m-p/550834#M10479 vineela 2021-05-07T13:52:16Z https://community.splunk.com/t5/Alerting/Check-first-and-last-events-in-particular-transaction-and/m-p/550836#M10480 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234209">@vineela</a>,</P><P>could you share some sample of your logs?</P><P>Ciao.</P><P>Giuseppe</P> Fri, 07 May 2021 14:01:24 GMT https://community.splunk.com/t5/Alerting/Check-first-and-last-events-in-particular-transaction-and/m-p/550836#M10480 gcusello 2021-05-07T14:01:24Z https://community.splunk.com/t5/Alerting/Check-first-and-last-events-in-particular-transaction-and/m-p/550837#M10481 <P>If all the events for the same transaction have the same unique transaction id, it is easy to use that as the correlation id to gather events together. Then check to see if the last event meets your criteria for an alert to be raised.</P> Fri, 07 May 2021 14:04:31 GMT https://community.splunk.com/t5/Alerting/Check-first-and-last-events-in-particular-transaction-and/m-p/550837#M10481 ITWhisperer 2021-05-07T14:04:31Z https://community.splunk.com/t5/Alerting/Check-first-and-last-events-in-particular-transaction-and/m-p/550839#M10482 <P>yes,all events have unique transaction id .Can you please tell me the query how to correlate all the events based on it and check if the last event is not success</P> Fri, 07 May 2021 14:14:57 GMT https://community.splunk.com/t5/Alerting/Check-first-and-last-events-in-particular-transaction-and/m-p/550839#M10482 vineela 2021-05-07T14:14:57Z https://community.splunk.com/t5/Alerting/Check-first-and-last-events-in-particular-transaction-and/m-p/550844#M10483 <LI-CODE lang="markup">--- search --- | stats latest(event) as last_event earliest(event) as first_event by transactionid</LI-CODE><P>event is the field you want to check and transactionid is your correlation id. stats will remove everything not mentioned from the pipeline, so if there are other field you are interested in, they need to be included in the stats command to e.g. latest(otherfield) as last_otherfield</P><P>Note that the latest and earliest functions behave slightly differently in different releases of splunk, so you may need to sort by _time first or possibly use last and first functions instead or possibly both of these.</P> Fri, 07 May 2021 14:28:08 GMT https://community.splunk.com/t5/Alerting/Check-first-and-last-events-in-particular-transaction-and/m-p/550844#M10483 ITWhisperer 2021-05-07T14:28:08Z