topic Re: How to search for all events for a transaction if there is no unique ID? in Splunk Search

How to search for all events for a transaction if there is no unique ID?

prashanthberam — Thu, 15 Dec 2016 21:37:04 GMT

Hi everybody ...
i have these kind of logs in my environment. every transaction has these 4 log messages but there is no unique id for every transaction. simply it's generating this kind of message, but there is no information to correlate this information for 1 particular transaction. but i need to find the INFORMATION whatever in between inbound and outbound. can anyone help me in that?

Thanks in advance.![alt text][1]

Re: How to search for all events for a transaction if there is no unique ID?

somesoni2 — Thu, 15 Dec 2016 21:46:06 GMT

Can there be more that one transactions going one at the same time?

Re: How to search for all events for a transaction if there is no unique ID?

prashanthberam — Thu, 15 Dec 2016 21:55:32 GMT

No for each transaction their is diff of some milliseconds.

Re: How to search for all events for a transaction if there is no unique ID?

somesoni2 — Thu, 15 Dec 2016 22:01:59 GMT

Give this a try. This should group relevant transaction events together.

Your base search | eval transfield=if(searchmatch("Outbound Message"),1,0) | accum transfield | transaction transfield

If you're looking for specific output, please provide a sample/details of that.

Re: How to search for all events for a transaction if there is no unique ID?

prashanthberam — Tue, 29 Sep 2020 12:08:16 GMT

index=ccsp_test_was source="/usr/WASLogs700/cdhpws_uat*_/cdhpws/logs/application.log" "getProcedureDetailBlueChip" OR "getProcedureDetailBlueChipResponse"
AND "Outbound Message" OR "Inbound Message" OR "getProcedureDetailBlueChip response time returning procedure details" OR "memZipCode assigned to zipCode"
OR "provZipCode assigned to zipCode" OR "bnftAgrmtNbr" |rex "(?Inbound|Outbound)" |eval transfield=if(searchmatch("Outbound Message"),1,0) | accum transfield | transaction transfield | rex "ID:(?.)"
|rex "(?m)(?.)"|rex "(?m)(?.)"|rex "(?m)(?.)"|rex "(?.)" |rex "(?.)"|rex "(?.)" | rex "(?.)" | rex "(?.)" |rex "(?.)" |rex "(?.)"|rex "(?.)"| rex "(?.)"|rex "(?.)" |rex "provZipCode assigned to zipCode:(?.)"| rex "memZipCode assigned to zipCode:(?.*)"|stats max(_time) as startTime,min(_time) as endTime,values(info) as Info,values(ResponseTime) as responseTime,values(StatusCode) as StatusCode,values(message) as StatusMessage,values(CorpEntCd) as corpEntCd,values(costlvlpctl) as Costlvlpctl,values(CptCode) as cptCode,values(GroupNbr) as GroupNbr,values(MemZipCode) as memZipCode,values(procdchrgamt) as ProcChrgamt,values(ProvZipCode) as ProvZipCode,values(SectionNbr) as SectionNbr,values(ServiceDate) as ServiceDate,values(tretcatcd) as TretCatCd,values(tretcatname) as TretCatName,values(bnftAgrmtNbr) as bnftAgrmtNbr,values(acctNbr) as acctNbr,values(provassignZip) as provassignZip,values(memzipassignzip) as memzipassignzip by id,source
|eval responseTime=startTime-endTime |eval StartTime=strftime(startTime,"%Y-%m-%d %H:%M:%S,%3N")|eval EndTime=strftime(endTime,"%Y-%m-%d %H:%M:%S,%3N")
|table id,Info,StartTime,EndTime,responseTime,StatusCode,StatusMessage,source,corpEntCd,Costlvlpctl,cptCode,GroupNbr,memZipCode,ProcChrgamt,ProvZipCode,SectionNbr,ServiceDate,TretCatCd,TretCatName,bnftAgrmtNbr,acctNbr,provassignZip,memzipassignzip

could you please help me in this while adding those above code into my search am getting results but responsetime is coming because am loosing the time for outbound message because i nedd to display the transaction starttime endtime in the final result...thanks in advance..

Re: How to search for all events for a transaction if there is no unique ID?

prashanthberam — Tue, 29 Sep 2020 12:26:19 GMT

index=ccsp_prd_was source="/usr/WASLogs700/cdhpws_/cdhpws/logs/application.log" "getProcedureDetailBlueChip" OR "getProcedureDetailBlueChipResponse" AND "Inbound Message" OR "Outbound Message" OR "getProcedureDetailBlueChip response time returning procedure details" OR "memZipCode assigned to zipCode" OR "provZipCode assigned to zipCode" OR "bnftAgrmtNbr" | rex "ID:(?.)" |rex "(?Inbound|Outbound)" | eval transfield=if(searchmatch("Outbound Message"),1,0) | accum transfield | transaction transfield by id.....
am using this query in the production ...Their has 1 or 2 requests not properly combined because ,,,for those requests will have first outbound message and afterwards inbound message.......could you please tell me how can i change the query....
thanks in advance....

Re: How to search for all events for a transaction if there is no unique ID?

somesoni2 — Wed, 11 Jan 2017 21:13:31 GMT

Any specific reasons why the outbound message came before inbound? My answers rely on the order of inbound and outbound messages and will not work if the order is changed.

Re: How to search for all events for a transaction if there is no unique ID?

prashanthberam — Wed, 11 Jan 2017 21:40:25 GMT

I don't Know... Even i have check the timestamp..time stamp is good ...once inbound processed then only outbound message processing ..but in the logs it has written like that..for some of the requests...

Re: How to search for all events for a transaction if there is no unique ID?

somesoni2 — Wed, 11 Jan 2017 21:58:37 GMT

May be your need to sort the events by timestamp so that order is proper? Try adding | sort 0 -_time before eval transfield.

Re: How to search for all events for a transaction if there is no unique ID?

prashanthberam — Wed, 11 Jan 2017 22:01:31 GMT

sometimes simultaneously 2 requests are processing ...that's why i am getting the at a time 2 Inbound and outbound messages.... like this order
outbound 28773
inbound 28773
outbound 28772
outbound 28771
inbound 28772
inbound 28771

Re: How to search for all events for a transaction if there is no unique ID?

somesoni2 — Wed, 11 Jan 2017 22:14:17 GMT

It would be really difficult to differentiate two concurrent simultaneously without a unique identifier. May be check with log source on how you can get that added.

Re: How to search for all events for a transaction if there is no unique ID?

prashanthberam — Wed, 11 Jan 2017 22:20:47 GMT

the log source is also same bro..