topic Capturing the final value from the final event in a transaction? in Splunk Search

Capturing the final value from the final event in a transaction?

Dark_Ichigo — Tue, 31 Jan 2012 06:48:57 GMT

I have created a transaction that may contain one or more of these three log level types logLevels i.e. METRIC/INFO/WARN

For Example: Assume that one transaction holds three events, each event has its own logLevel type.

My Question is, How Can I pick up the final LogLevel type for the last event at the end of a Transaction?

Re: Capturing the final value from the final event in a transaction?

Ayn — Tue, 31 Jan 2012 08:12:12 GMT

You should be able to use stats:

... | stats last(LogLevel) by _time

Re: Capturing the final value from the final event in a transaction?

bojanz — Tue, 31 Jan 2012 22:01:05 GMT

It depends if those different LogLevel fields can happen in one transaction multiple times or not.

It gets a bit more tricky if you can have multiple LogLevel fields in one transaction, i.e. like this:

INFO
WARN
INFO
WARN

And you want to know what the last one was. In such cases I usually use the following trick:

mysearch | eval temp1=_time+","+LogLevel | transaction something | eval LastLogLevel=substr(mvindex(temp1,mvcount(temp1)-1),16)

This will create a new field that contains concatenated timestamp and the LogLevel field. One such field will be created for every LogLevel appearance in your transaction so you simply pick the last one with the mvindex command and pull out the value with substr.
There might be a more efficient way to do this too 🙂

Re: Capturing the final value from the final event in a transaction?

lguinn2 — Wed, 01 Feb 2012 22:27:28 GMT

As bojanz says, it depends on whether multiple log levels appear in a transaction. It also depends on whether you have used the Splunk transaction command to create the "transaction" that you mention, or if you are referring to the transactions that logically exist in your events.

Using the "transaction" command in Splunk is very cool, but also expensive. So if you don't need the resulting transaction for any other reason, try something like this instead

mysearch | stats latest(logLevel) by transactionId

This will return the latest (in time) logLevel in a transaction. If you have multiple criteria that define a transaction, you could use them all here:

mysearch | stats latest(logLevel) by customerId, sessionId

This would return one logLevel for each combination of customerId and sessionId

The above will return the latest logLevel, whatever it is, regardless of whether there are multiple logLevels in the transaction.

Oh, and if you want to return the last logLevel for each unique logLevel that appears in the transaction, as bojanz did, just add logLevel to the by clause:

mysearch | stats latest(logLevel) by transactionId, logLevel

Re: Capturing the final value from the final event in a transaction?

Dark_Ichigo — Fri, 10 Feb 2012 05:58:09 GMT

Bingo!.....Thanks!

Re: Capturing the final value from the final event in a transaction?

ifeldshteyn — Thu, 10 Dec 2015 23:10:32 GMT

Works like a charm. Thanks