topic Re: Exclude an Event Based on Value From Another Event in Splunk Search

Exclude an Event Based on Value From Another Event

jepoyyyy — Fri, 23 Sep 2016 08:14:43 GMT

Hi All,

I have a set of log that contains events something similar to this:

Event A
[09-23-16 16:03:35:972] TransactionID(0900001) Request SomeText SomeTxt amount=90

Event B
[09-23-16 16:03:35:973] TransactionID(0900001) Received packet 'HTTP/1.1 200 OK

There are other events for each transaction but I am only interested in these two lines. I need to get the sum of the amount but only for transactions that are successful which is indicated in the next event with status "200 OK"

I'm thinking of using transaction command but it would be too expensive. Are there any approach other that grouping it using transaction command?

Thanks in advance!
-Jeff

Re: Exclude an Event Based on Value From Another Event

sundareshr — Fri, 23 Sep 2016 13:08:33 GMT

Try this. if a transaction id can have more than request and response

index=xyz "Request SomeText" OR "Received packet 'HTTP/1.1 200 OK" | rex "TransactionID\((?<id>\d+)\)\s(?<action>Received|Request)" | stats sum(Amount) as Total count(eval(action=Received)) as Recd count(eval(action=Request)) as Req by id | where Recd=Req

Re: Exclude an Event Based on Value From Another Event

alemarzu — Fri, 23 Sep 2016 13:27:13 GMT

Hi there jepoyyy,

Assuming that you don't have certain fields already extracted, try this.

main search  | rex "TransactionID\((?<transactionId>\d+)\)\s" | rex "\)\sReceived\spacket\s\S+\s(?<status>\d+)\s\w+$" | stats latest(_time) AS lastTime, sum(amount) AS Amount, values(status) AS Status by transactionId | where Status=200 | convert ctime(lastTime)

Hope it helps.

Re: Exclude an Event Based on Value From Another Event

jepoyyyy — Sat, 24 Sep 2016 16:44:51 GMT

Thank you for pointing me to the right direction!

Re: Exclude an Event Based on Value From Another Event

alemarzu — Mon, 26 Sep 2016 12:40:11 GMT

I'm glad it helped you! Happy Splunking!