https://community.splunk.com/t5/Splunk-Search/Conditional-searches/m-p/67741#M16920 <P>Just don't use source as a field to run <CODE>transaction</CODE> on.</P> Thu, 11 Oct 2012 12:13:37 GMT Ayn 2012-10-11T12:13:37Z https://community.splunk.com/t5/Splunk-Search/Conditional-searches/m-p/67735#M16914 <P>Hi,<BR /> We have gotten quite a complex search request, which we are not sure if is possible at all.</P> <P>If the application log says "SITE X DOWN", and then within an five minute interval logs "SITE BACKUP X DOWN" it must raise an alert. If the applications logs SITE BAKCUP X DOWN outside the five minute interval everything is OK.</P> <P>How, if at all possible, could this be accomplished?</P> <P>--<BR /> Espen</P> Wed, 31 Aug 2011 07:54:12 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-searches/m-p/67735#M16914 efo 2011-08-31T07:54:12Z https://community.splunk.com/t5/Splunk-Search/Conditional-searches/m-p/67736#M16915 <P>You can use the <CODE>transaction</CODE> command. This will join separate events together to a new combined event (a transaction) based on rules that you specify. You can then search for transactions that match multiple conditions.</P> <P>In your case, you want to find cases where "SITE X DOWN" and "SITE BACKUP X DOWN" occur within a 5 minute interval. This can be accomplished using <CODE>transaction</CODE> like this:</P> <PRE><CODE>"SITE X DOWN" OR "SITE BACKUP X DOWN" | transaction source startswith="SITE X DOWN" endswith="SITE BACKUP X DOWN" maxspan=5m </CODE></PRE> <P>Any events returned by this search will match your condition. I used "source" as an argument to <CODE>transaction</CODE> but any field identifier can be used. This specifies what field(s) Splunk should look for and use when grouping together events, so in this case Splunk will be looking to grouping events into transactions if they have the same value for the "source" field. The more unique the field value, the better.</P> <P>More information on the <CODE>transaction</CODE> command is available in the docs: <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction</A></P> Wed, 31 Aug 2011 08:12:43 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-searches/m-p/67736#M16915 Ayn 2011-08-31T08:12:43Z https://community.splunk.com/t5/Splunk-Search/Conditional-searches/m-p/67737#M16916 <P>Excellent answer, clearly explained</P> Wed, 31 Aug 2011 08:14:35 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-searches/m-p/67737#M16916 Drainy 2011-08-31T08:14:35Z https://community.splunk.com/t5/Splunk-Search/Conditional-searches/m-p/67738#M16917 <P>This solves the problem.<BR /> Thank you very much, Ayn</P> Thu, 15 Sep 2011 06:58:35 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-searches/m-p/67738#M16917 efo 2011-09-15T06:58:35Z https://community.splunk.com/t5/Splunk-Search/Conditional-searches/m-p/67739#M16918 <P>This is perfect, thank you.<BR /> But is it best run with time range "rt-5 to rt" or just a normal search that ranges the last ten minutes or so?</P> Thu, 15 Sep 2011 07:25:03 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-searches/m-p/67739#M16918 efo 2011-09-15T07:25:03Z https://community.splunk.com/t5/Splunk-Search/Conditional-searches/m-p/67740#M16919 <P>How would you do it if you have two different source logs?</P> Thu, 11 Oct 2012 12:09:33 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-searches/m-p/67740#M16919 lpolo 2012-10-11T12:09:33Z https://community.splunk.com/t5/Splunk-Search/Conditional-searches/m-p/67741#M16920 <P>Just don't use source as a field to run <CODE>transaction</CODE> on.</P> Thu, 11 Oct 2012 12:13:37 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-searches/m-p/67741#M16920 Ayn 2012-10-11T12:13:37Z