https://community.splunk.com/t5/Splunk-Search/Searching-a-sequence-of-logs/m-p/56951#M179899 <P>Yes the transaction comman with bounderies would be a good start, but also use event tags. Tag both events with something meaningfull.</P> <P>Event A has tag=Error1</P> <P>Event_B has tag=Error2</P> <P><CODE></CODE><PRE><CODE><BR /> index=someindex AND (tag=Error1 or tag=Error2) | Transaction host startswith="unable to" endswith="connection failed" maxspan=1m <BR /> </CODE></PRE></P> <P>Additional Reading:</P> <UL> <LI><A href="http://wiki.splunk.com/Deploy:UseSplunkForEventCorrelation">UseSplunkForEventCorrelation</A></LI> <LI><A href="http://blogs.splunk.com/2012/09/14/splunk-book-excerpt-grouping-events/">splunk-book-excerpt-grouping-events</A></LI> <LI><A href="http://blogs.splunk.com/2010/09/01/event-correlation/">event-correlation</A></LI> <LI><A href="http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Tageventtypes">Tageventtypes</A></LI> </UL> <P>Keep in mind that is only an example.</P> <P>Hope this helps or gets you started. Dont forget to vote up and accept answers that help.</P> <P>Cheers</P> Thu, 06 Jun 2013 17:44:48 GMT bmacias84 2013-06-06T17:44:48Z https://community.splunk.com/t5/Splunk-Search/Searching-a-sequence-of-logs/m-p/56949#M179897 <P>Hi,</P> <P>I made a lot of research and tests but I can't figure how to...</P> <P>Is it possible to search a sequence of differents events in all the logs indexed in Splunk.</P> <P>I mean, if in the search window, I have something like this :</P> <HR /> <P>....</P> <P>event A</P> <P>....</P> <P>....</P> <P>event B</P> <P>....</P> <HR /> <P>Is there a search command which permit to search the sequence "event A then event B". <BR /> And after, use the result to create an alarm when I have this sequence of two events ?</P> <P>I'm not an english speakers, so please forgive my bad english.<BR /> I hope my request is understandable anyway.</P> <P>Axel</P> Thu, 06 Jun 2013 14:28:01 GMT https://community.splunk.com/t5/Splunk-Search/Searching-a-sequence-of-logs/m-p/56949#M179897 jacquesaxel 2013-06-06T14:28:01Z https://community.splunk.com/t5/Splunk-Search/Searching-a-sequence-of-logs/m-p/56950#M179898 <P>Hello</P> <P>You can use the transaction command with the parameters startswith and endswith to define transaction boundaries</P> <P>Regards</P> Thu, 06 Jun 2013 14:55:57 GMT https://community.splunk.com/t5/Splunk-Search/Searching-a-sequence-of-logs/m-p/56950#M179898 gfuente 2013-06-06T14:55:57Z https://community.splunk.com/t5/Splunk-Search/Searching-a-sequence-of-logs/m-p/56951#M179899 <P>Yes the transaction comman with bounderies would be a good start, but also use event tags. Tag both events with something meaningfull.</P> <P>Event A has tag=Error1</P> <P>Event_B has tag=Error2</P> <P><CODE></CODE><PRE><CODE><BR /> index=someindex AND (tag=Error1 or tag=Error2) | Transaction host startswith="unable to" endswith="connection failed" maxspan=1m <BR /> </CODE></PRE></P> <P>Additional Reading:</P> <UL> <LI><A href="http://wiki.splunk.com/Deploy:UseSplunkForEventCorrelation">UseSplunkForEventCorrelation</A></LI> <LI><A href="http://blogs.splunk.com/2012/09/14/splunk-book-excerpt-grouping-events/">splunk-book-excerpt-grouping-events</A></LI> <LI><A href="http://blogs.splunk.com/2010/09/01/event-correlation/">event-correlation</A></LI> <LI><A href="http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Tageventtypes">Tageventtypes</A></LI> </UL> <P>Keep in mind that is only an example.</P> <P>Hope this helps or gets you started. Dont forget to vote up and accept answers that help.</P> <P>Cheers</P> Thu, 06 Jun 2013 17:44:48 GMT https://community.splunk.com/t5/Splunk-Search/Searching-a-sequence-of-logs/m-p/56951#M179899 bmacias84 2013-06-06T17:44:48Z