The scenario is that I enter a search term, in my case it a CR - correlation ID that pulls the whole journey of the call. The logs contain different information like the URL it hits, the origin, the target, the time taken, http status code, http method etc. I want to create a dashboard which displays the flow of the call of which URL/Server its hitting at each step with the success or error code. Has any one come across such dashboard or knows how to create one?
@sagar1905, if you are on Splunk 6.6 or higher you can try Status Indicator with Trellis Layout to show a call's status.
It depends what you want. Say you've got a reference number... that's fairly easy to collect from the user and pass to something like
index=intlsales sourcetype=intlsales_transaction reference_number=$input$ | transaction reference_number
index=intlsales sourcetype=intlsales_transaction reference_number=$input$ | stats count by action
to get a table like
action count transaction 1 transfer_money 1 verify_acct_success 1 verify_inv_success 1
To then turn that into a beautiful graphic is another more complicated job; you might look at the dashboard examples app or splunkbase, but to keep it simple I would just put it in a table and maybe eval some values that would make the table color up properly when told to heat map.
To make alerting decisions based on anomalies in that transactional is a lot harder; we make commercial software that does that.
If every log has an unique id to join upon, you can use transaction.
|transaction correlation_id for instance and it will spit out groups of events in order of how they happened.
Depending on what you’re looking at for an output and what the logs look like, that’s the best I can offer. More details about the data and expected output would be nice.