https://community.splunk.com/t5/Splunk-Search/Can-you-search-for-two-strings-in-chronological-order-in/m-p/369145#M108773 <P>In every log statement, we write the user's session ID delimited by hyphens as follows: </P> <PRE><CODE> -S:ybiSmNiQxF- </CODE></PRE> <P>I want to get a count of session IDs that contain two specific message strings (in separate log statements) in a specific order. I don't care if there are intervening log statements.</P> <P>Example: </P> <PRE><CODE>2017-08-11 12:51:57,918 INFO - whatever-S:ybiBmNiQxF-whatever STATEMENT1 whatever 2017-08-11 12:51:57,921 INFO - whatever-S:ybiBmNiQxF-whatever STATEMENT2 whatever </CODE></PRE> <P>Is there a way to do this in a Splunk query?</P> <P>Thanks,<BR /> Jonathan</P> Mon, 14 Aug 2017 20:14:04 GMT jbrenner 2017-08-14T20:14:04Z https://community.splunk.com/t5/Splunk-Search/Can-you-search-for-two-strings-in-chronological-order-in/m-p/369145#M108773 <P>In every log statement, we write the user's session ID delimited by hyphens as follows: </P> <PRE><CODE> -S:ybiSmNiQxF- </CODE></PRE> <P>I want to get a count of session IDs that contain two specific message strings (in separate log statements) in a specific order. I don't care if there are intervening log statements.</P> <P>Example: </P> <PRE><CODE>2017-08-11 12:51:57,918 INFO - whatever-S:ybiBmNiQxF-whatever STATEMENT1 whatever 2017-08-11 12:51:57,921 INFO - whatever-S:ybiBmNiQxF-whatever STATEMENT2 whatever </CODE></PRE> <P>Is there a way to do this in a Splunk query?</P> <P>Thanks,<BR /> Jonathan</P> Mon, 14 Aug 2017 20:14:04 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-search-for-two-strings-in-chronological-order-in/m-p/369145#M108773 jbrenner 2017-08-14T20:14:04Z https://community.splunk.com/t5/Splunk-Search/Can-you-search-for-two-strings-in-chronological-order-in/m-p/369146#M108774 <P><STRONG>Is the sessionID already extracted into a field?</STRONG> If so, then you can use the <CODE>transaction</CODE> command to combine the sets of transactions (same sessionID) together and perform functions on those, whether it be counts, check for completed transactions, etc.</P> <P>If it is not already extracted, then you will have to do a field extraction (either automatic or inline) to use the <CODE>transaction</CODE> command. For that you <STRONG>may</STRONG> have to provide more complete example data in order to allow us to help with the field extraction. </P> Mon, 14 Aug 2017 20:28:56 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-search-for-two-strings-in-chronological-order-in/m-p/369146#M108774 cpetterborg 2017-08-14T20:28:56Z https://community.splunk.com/t5/Splunk-Search/Can-you-search-for-two-strings-in-chronological-order-in/m-p/369147#M108775 <P>Give this a try (assuming no field extraction was done, if it has, remove the rex commands)</P> <PRE><CODE>your base search for selecting only STATEMENT1 and STATEMENT2 type of events | rex "S:(?&lt;sessionID&gt;[^\-]+)\S+\s+(?&lt;Statement&gt;\S+)" | stats list(Statement) as Statements by sessionID | where mvindex(Statements,0)="STATEMENT1" AND mvindex(Statements,1)="STATEMENT2" | stats count </CODE></PRE> Mon, 14 Aug 2017 20:52:12 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-search-for-two-strings-in-chronological-order-in/m-p/369147#M108775 somesoni2 2017-08-14T20:52:12Z https://community.splunk.com/t5/Splunk-Search/Can-you-search-for-two-strings-in-chronological-order-in/m-p/369148#M108776 <P>Thanks for pointing me in the right direction. SInce there did not turn out to be any intervening events, I was able to use maxevents=2 with the TRANSACTION command:</P> <PRE><CODE>index=my_index | rex field=_raw "-S:(?&lt;SESSION_ID&gt;\w+)-" | transaction SESSION_ID startswith="STATEMENT1" endswith="STATEMENT2" maxevents=2 </CODE></PRE> Wed, 23 Aug 2017 15:02:32 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-search-for-two-strings-in-chronological-order-in/m-p/369148#M108776 jbrenner 2017-08-23T15:02:32Z