Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Track process statuses using transactions
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Track process statuses using transactions
I have log events that track incidents. Each log event has a ticket ID My work flow consists of 8 steps A,B,C,D,E,F,G,H. A is START, G is SUCCESS| FAIL and H is END, E is NEEDSATTENTION.
I am using the Splunk transaction command. However if I want to track Start to NEEEDSATTENTION then I get all transactions that have NEEDSATTENTION but I also get some that have gone pass this process to either SUCCESS FAIL or END. How can I only get transactions that have reached the NEEDSATTENTION process?
IS this something that needs to be a "multisearch"?
For Example index=incidents | transaction ticketid startswith=eval(workstatus="START")) endswith=eval(workstatus="NEEDSATTENTION")) | table ticketID userFirstName userLastName businessUnit duration
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Transaction is the wrong tool for this. It's useful for some use cases, but this one isn't it.
index=incidents
| fields ticketID userFirstName userLastName businessUnit workstatus
| eventstats range(_time) as duration latest(workstatus) as currentstatus by ticketID
| where currentstatus="NEEDSATTENTION"
This gives you every record for any ticketID whose current status is "NEEDSATTENTION". Each record contains the total duration, defined as the number of seconds (epoch time) between the earliest _time and the latest _time. At this point, you probably want to just roll them together with a stats command.
| stats values(*) as * by ticketID
The last may need some finessing if some of the records contain different data from others. For instance, if you only wanted the latest userFirstName and userLastName, and so on.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK I am now investigating this!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You may want to verify that workstatus="NEEDSATTENTION" is correct. Using endswith should work, unless the events are coming in out of order or something.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you always have a very specific number of steps for the type of grouping you're looking for? If you do you can use eventcount to filter out the ones that go past your NEEDSATTENTION. It tells you how many events were grouped into your transaction so you could do a where eventcount<7
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As far as steps not really, the event count may fail in certain cases.
For example step C is an informational step as the case information gets populated then there are multiple step C's.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
