topic Calrification on transaction command in Splunk Search

Calrification on transaction command

Jananee_iNautix — Fri, 09 May 2014 07:57:50 GMT

Hi,

There is a requirement to group the events that startswith"String1" and endswith "String2" as a transaction OR group the events that startswith="String3" and endswith="String4" in the same search query and extract fields.I tried the search query like as follows

index=axr |transaction startwith="String1" endswith="String2" OR transaction startswith="String3" endswith="String4"
But I get error as there is no option to have two startswith and endswith

Is there any way available in splunk to accomplish this requirement? Please advise.The sample logs

20141205::User logged off(String1 of transaction)
.
.
.
.
.
20141206::IBMX_fer:failed to ftp(String3 of transaction)
.
.
.
.
.
20141207 ::No translation(String4 of transaction)
.
.
.
.
.
20141208 ::Processing complete(String2 of transaction)

Re: Calrification on transaction command

MuS — Fri, 09 May 2014 09:35:57 GMT

Hi Jananee_iNautix,

your transaction will not work because of the startswith="" endswith="" OR startswith="" endswith="" options which are supposed to be provided only once.

if your events only have either string1 or string3 and string2 or string4 then you could try something like this:

your base search to get all needed events | eval mystart=coalesce(string1, string3) | eval myend=if(mystart=string1, string2, string4) | transaction startswith=mystart endswith=myend | ...

Some minor updates to the wording and the search command, based on the two comments below 😉

hope this helps ...

cheers, MuS

Re: Calrification on transaction command

gfuente — Fri, 09 May 2014 11:59:04 GMT

Hello Mus

In your solution you could end up with start with string 1 and ends with string 4 as a valid transaction. And it seems that string 1 would only ends with string 3 (not 3 or 4)

Regards

Re: Calrification on transaction command

MuS — Fri, 09 May 2014 12:13:59 GMT

that's true, but as long as no log examples are provided this is all just if - when - maybe - you - could ... then again one can add another if to check eval myend=if(mystart=string1, string2, string4) ...

Re: Calrification on transaction command

lguinn2 — Fri, 09 May 2014 19:18:34 GMT

I don't see anything wrong with the initial search of index=axr

Re: Calrification on transaction command

Jananee_iNautix — Mon, 12 May 2014 06:23:56 GMT

My requirement is like the transaction should start with "String1" and endwith "String2" strictly and the other transaction should startwith="String3" and endswith="String4" striclty.There should not be other combinations .Can you please suggest any way to do that?

Re: Calrification on transaction command

MuS — Mon, 12 May 2014 06:32:04 GMT

If your events only contain either String1 or String3 you can test my search command. it will take either String1 or String3 as startswith and depending on startswith sets either String2 or String4 as endswith

Re: Calrification on transaction command

Jananee_iNautix — Tue, 13 May 2014 07:47:45 GMT

When worked with the query given by you,the events of transaction involving String3 & String4 doesn't get load.The transaction -String3 &4 is inside the transaction -String1 &2.In such cases,will the query works as expected.I have also uploaded the sample logs in the question.Please take a look at the logs and advise .

Re: Calrification on transaction command

MuS — Tue, 13 May 2014 09:07:32 GMT

Okay, this is way you should always provide some sample logs if asking something....it looks like your string1|2|3|4 is not a field. You really mean a string of words. So first thing to do is, to get those words in some field, because the evals I used are all based on fields called string1 or string2 and so on.

Read more about field extraction here http://docs.splunk.com/Documentation/Splunk/6.1/Knowledge/Addfieldsatsearchtime
and use the new cretaed field as shown in my example.