topic Re: Tracking of particular field in Splunk Search

Tracking of particular field

N92 — Tue, 29 Sep 2020 18:32:06 GMT

I have two fields from them I want to track particular one field with starting of this & ending of that value. For that, I have written as shown below. Is any correction needed?

| transaction abc xyz startswith=(xyz="something") endswith=(cs_uri_stem="anything") maxspan=1s

Here currently I have added maxspan=1s but I want to check immediate next event with anything value which may occur before 1s.
I want to focus on only immediate next event from abc.

Another question is: Here I am tracking only one value. But how can I track field value in both the field. share any eg.

Re: Tracking of particular field

tiagofbmm — Mon, 19 Mar 2018 13:17:04 GMT

Have you checked the

maxevents
Syntax: maxevents=<int>
Description: The maximum number of events in a transaction. If the value is negative this constraint is disabled.
Default: 1000

That with value 2 will get you the immediate next event with abc value.

Re: Tracking of particular field

N92 — Mon, 19 Mar 2018 13:29:46 GMT

| transaction abc xyz startswith=(xyz="something") endswith=(xyz="anything") maxevents=2

If I am adding maxevents then it will match xyz's starting & ending value also?

After matching xyz value it will go further & check maxevents for abc field?

Re: Tracking of particular field

tiagofbmm — Wed, 21 Mar 2018 17:25:34 GMT

Yes.

Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that