topic Re: Splunk Query in Splunk Search

Splunk Query

dinesh001kumar — Sun, 01 Sep 2024 12:33:35 GMT

I would like to calculate the success rate of the Toup transaction via Channel( APP Or Web) in 4 API calls( E.g 4 Levels,Request will submit 1 do the validation and pass on level 2 and then at level 2 will do business validation and pass the transaction to next level and so on) in that few transactions may fail at level 1/2/3/4. The channel method will be available only in the Level 1 not in the Other level. Transaction ID is the only field comman in all the levels. If I apply filter on Channel the output only the list of transaction in Level 1 since Channel field available in level1.

1. If apply filter on Web/APP Channel I should get the list of transaction IDs respective of channel

2. Taking the transaction IDs as a input it should the validate the status of the transaction at each level (2/3/4).

Note: In level 2/3/4 the log has both App and web logs only based on the transaction ID from level 1 need to differentiate.

Https status -200(Success); 500(Failure)

Re: Splunk Query

ITWhisperer — Sun, 01 Sep 2024 14:32:00 GMT

Please share some raw anonymised representative sample events in a code block to preserve formatting.

Please identify which fields (if any) you already have extracted.

Also, please share a representation of your expected output.

Re: Splunk Query

dinesh001kumar — Sun, 01 Sep 2024 17:38:47 GMT

Level: 1

Time:01/09/2024 12:00:00.230
call_headers: "{\"platform\":\"android\",\"user-agent\\"device-id\":\"380C71F2-6546-3340D56648g\",\"channel\":\"APP\"}"
call_severity: 1
log_env: test
message: /api/subscriptiontypes/Prepaid/products/10669413a39dee7fcd8422d80826067b
Function: /api/producttypes/Prepaid/products/10669413a39dee7fcd8422d80826067b
tran_id: dghhaxkhhjxh00765sg

===========================================================================================================

Level: 2

Time:01/09/2024 12:02:00.230
http_status: 200
call_severity: 1
log_env: test
message: /api/subscriptiontypes/Prepaid/products/10669413a39dee7fcd8422d80826067b
Function: /api/producttypes/Prepaid/products/10669413a39dee7fcd8422d80826067b
tran_id: dghhaxkhhjxh00765sg
==========================================================================================================
Level: 3

Time:01/09/2024 12:00:10.220
Req_domain: https://google.com/purchaseproduct
Req_method: POST
log_env: test
message: /api/subscriptiontypes/Prepaid/products/10669413a39dee7fcd8422d80826067b
Function: /api/producttypes/Prepaid/products/10669413a39dee7fcd8422d80826067b
tran_id: dghhaxkhhjxh00765sg
==========================================================================================================
Level: 4

Time:01/09/2024 12:00:30.230
http_status: 200
Status:Completed
log_env: test
message: /api/subscriptiontypes/Prepaid/products/10669413a39dee7fcd8422d80826067b
Function: /api/producttypes/Prepaid/products/10669413a39dee7fcd8422d80826067b
tran_id: dghhaxkhhjxh00765sg

Re: Splunk Query

dinesh001kumar — Sun, 01 Sep 2024 17:40:10 GMT

Level: 1
call_headers: "{\"platform\":\"android\",\"user-agent\\"device-id\":\"380C71F2-6546-3340D56648g\",\"channel\":\"web\"}"
call_severity: 1
log_env: test
message: /api/subscriptiontypes/Prepaid/products/10669413a39dee7fcd8422d80826067b
Function: /api/producttypes/Prepaid/products/10669413a39dee7fcd8422d80826067b
tran_id: tdgdbdjkksolsksujj

===========================================================================================================

Level: 2
http_status: 200
call_severity: 1
log_env: test
message: /api/subscriptiontypes/Prepaid/products/10669413a39dee7fcd8422d80826067b
Function: /api/producttypes/Prepaid/products/10669413a39dee7fcd8422d80826067b
tran_id: tdgdbdjkksolsksujj
==========================================================================================================
Level: 3
Req_domain: https://google.com/purchaseproduct
Req_method: POST
log_env: test
message: /api/subscriptiontypes/Prepaid/products/10669413a39dee7fcd8422d80826067b
Function: /api/producttypes/Prepaid/products/10669413a39dee7fcd8422d80826067b
tran_id: tdgdbdjkksolsksujj
==========================================================================================================
Level: 4
http_status: 200
Status:Completed
log_env: test
message: /api/subscriptiontypes/Prepaid/products/10669413a39dee7fcd8422d80826067b
Function: /api/producttypes/Prepaid/products/10669413a39dee7fcd8422d80826067b
tran_id: tdgdbdjkksolsksujj

Re: Splunk Query

dinesh001kumar — Sun, 01 Sep 2024 17:43:12 GMT

Hi @ITWhisperer ,

Above is the 2 Sample events with transactionID, the log pattern will be same but only the Channel and Transaction ID will get different, So If Apply filter at Channel level its getting reflected the Level 1 Event only, Since there is no Channel event in remaining 3 events. I need to calculate whether the transaction is successfully passed at all level or failed in between.

Re: Splunk Query

ITWhisperer — Sun, 01 Sep 2024 20:05:15 GMT

I am not seeing the sample events in a code block - please can you repost them

Re: Splunk Query

dinesh001kumar — Mon, 02 Sep 2024 04:11:43 GMT

Level: 1
call_headers: "{\"platform\":\"android\",\"user-agent\\"device-id\":\"380C71F2-6546-3340D56648g\",\"channel\":\"web\"}"

Channel:web
call_severity: 1
log_env: test
message: /api/subscriptiontypes/Prepaid/products/10669413a39dee7fcd8422d80826067b
Function: /api/producttypes/Prepaid/products/10669413a39dee7fcd8422d80826067b
tran_id: tdgdbdjkksolsksujj

===========================================================================================================

Re: Splunk Query

dinesh001kumar — Mon, 02 Sep 2024 10:04:53 GMT

Level: 1

Time:01/09/2024 12:00:00.230 call_headers: "{\"platform\":\"android\",\"user-agent\\"device-id\":\"380C71F2-6546-3340D56648g\",\"channel\":\"APP\"}" Channel:App call_severity: 1 log_env: test message: /api/subscriptiontypes/Prepaid/products/10669413a39dee7fcd8422d80826067b Function: /api/producttypes/Prepaid/products/10669413a39dee7fcd8422d80826067b tran_id: dghhaxkhhjxh00765sg

===========================================================================================================

Level: 2

==========================================================================================================
Level: 3

Time:01/09/2024 12:00:10.220 Req_domain: https://google.com/purchaseproduct Req_method: POST log_env: test message: /api/subscriptiontypes/Prepaid/products/10669413a39dee7fcd8422d80826067b Function: /api/producttypes/Prepaid/products/10669413a39dee7fcd8422d80826067b tran_id: dghhaxkhhjxh00765sg

==========================================================================================================
Level: 4

Time:01/09/2024 12:00:30.230 http_status: 200 Status:Completed log_env: test message: /api/subscriptiontypes/Prepaid/products/10669413a39dee7fcd8422d80826067b Function: /api/producttypes/Prepaid/products/10669413a39dee7fcd8422d80826067b tran_id: dghhaxkhhjxh00765sg

Re: Splunk Query

dinesh001kumar — Mon, 02 Sep 2024 04:15:42 GMT

@ITWhisperer ,

I have reposted the sample 2 sample logs with transactionID, Please consider the Channel as a field, the log pattern will be same but only the Channel and Transaction ID will get different, So If Apply filter at Channel level its getting reflected the Level 1 Event only, Since there is no Channel event in remaining 3 events. I need to calculate whether the transaction is successfully passed at all level or failed in between.

Re: Splunk Query

ITWhisperer — Mon, 02 Sep 2024 10:08:18 GMT

You can add channel to all events with the same tran_id with eventstats

| eventstats values(channel) as channel by tran_id