topic Re: Help on Transaction command!! in Splunk Search

Help on Transaction command!!

shri_27 — Wed, 03 Jul 2013 10:07:42 GMT

Hi All,
I want count of word "ERROR" in the group of events for which i have used transaction command!

my search query is

source="*.log" | transaction startswith="Hydra is starting Control Channel" endswith="completed Setup"

Now i want to count the no of times the word "ERROR" has occurred between the limits.

sample log
[M2E-CSI]2013-06-11 01:19:40,924 PDT - Hydra is starting Control Channel
[M2E-CSI]2013-06-11 01:19:40,926 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,926 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,926 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,926 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,926 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,928 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,928 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,928 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,928 PDT - Error is adding AdapterJMS as Reconnectable
completed setup

Re: Help on Transaction command!!

sideview — Thu, 04 Jul 2013 00:13:31 GMT

I would use eval to make a numeric field valued at 0 or 1 as appropriate, on the events before transaction. This will then become a multivalued field in the transaction rows, and then you can more easily sum it up. Granted if we're talking a really large number of errors per transaction, then you might hit some multivalued-field limits.

source="*.log" | eval errorCount=if(searchmatch("ERROR"),1,0) | transaction startswith="Hydra is starting Control Channel" endswith="completed Setup" | streamstats count as rowIndex | streamstats sum(errorCount) as totalErrors by rowIndex

Re: Help on Transaction command!!

shri_27 — Thu, 04 Jul 2013 04:19:38 GMT

Hi sideview,
Thanks for your response! still am getting count of word "ERROR" as 1!!, as we see in sample log we should get count as 9.

Re: Help on Transaction command!!

sideview — Thu, 04 Jul 2013 05:26:03 GMT

Oh I think you need to add mvlist=t to your transaction command. By default mvlist is false, meaning it will only preserve a single "1" because it's only preserving distinct values. You might also want to put a fields clause before transaction to narrow down to just the fields you'll need to minimize transaction's work preserving all the other field values if you're not going to use them.
http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Transaction

Re: Help on Transaction command!!

shri_27 — Fri, 05 Jul 2013 08:02:28 GMT

Thanks for your reply, i got the correct count.
But i want to display the results in the below format

Source Number of errors
file1 12
file2 25
file3 32
file4 23

This is the search Query
index=foo | eval errorCount=if(searchmatch("Error"),1,0) | transaction startswith="Error" endswith="READY TO ACTIVATE" mvlist=t | streamstats count as rowIndex| eventstats sum(errorCount) as totalErrors by rowIndex

Please help me..........

Re: Help on Transaction command!!

eashwar — Fri, 05 Jul 2013 09:38:04 GMT

hello, i was just going through the answer try below
index=foo | eval errorCount=if(searchmatch("Error"),1,0) | transaction startswith="Error" endswith="READY TO ACTIVATE" mvlist=t | eventstats sum(errorCount) as totalErrors by source

Re: Help on Transaction command!!

shri_27 — Fri, 05 Jul 2013 09:57:26 GMT

Thanks for the reply ...
If i use by source,i am not getting the count.....

Re: Help on Transaction command!!

sideview — Fri, 05 Jul 2013 18:27:55 GMT

index=foo | eval errorCount=if(searchmatch("Error"),1,0) | transaction startswith="Error" endswith="READY TO ACTIVATE" mvlist=t | streamstats count as rowIndex| eventstats sum(errorCount) as totalErrors by rowIndex | stats sum(totalErrors) as totalErrors by source

Re: Help on Transaction command!!

shri_27 — Thu, 11 Jul 2013 10:50:05 GMT

Thanks for the reply....