Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Help with transaction !

dmenon84
Path Finder
‎04-05-2017 12:44 PM

Hi ,

I have following query written but it is not giving me correct output. So my logs would look like this

subject action score x s
Hello continue 40 234 585
Hello discard 80 234 585

My query
index=myindex (action=discard OR action=continue ) | transaction x s keepevicted=true startswith=eval(action="continue") endswith=eval(action="discard") | search subject=* | stats values(action) AS action,dc(action) AS actioncount by subject | where actioncount=2

It gives me info but its usually the once that are discarded first and continued later. I am trying to get info for other way round.

So anything that scores above 80 have action=discard so I want to get alerted on all subjects that had score below 80 and had action=continue but later score went above 80 and now action=discard. The logs are split in several line hence a transaction of 'x' and 's' is required to combine the logs.

Thanks in advance for any help !

Tags (1)
0 Karma
Reply

niketn
Legend
‎04-05-2017 01:12 PM

@dmenon84... few things to take care

1) Stats is more suitable for your use case compared to transaction
2) Filter results upfront so add subject=*, action and score criteria for discard and continue in your base search
3) Subject should also be part of your aggregation clause

index=myindex  subject=* (action=discard AND scores>80) OR (action=continue AND score<80)
| stats count as eventcount list(action) as action list(score) as score dc(action) as actioncount by x, s,subject

Try this and let us know how it goes.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

dmenon84
Path Finder
‎05-10-2017 07:58 AM

Thanks for helping . Sorry for delay in response, I got caught up in other projects. So this query works some what but I am not getting the scores. This is actually due to the info I provided. Here is how logs look. The action and score are not in same log event so will it still work without transaction.

May 10 08:39:40 s=200 m=1 x=200-1 mod=mail cmd=env_from from=emailaddress to=emailaddressto host=hostname ip=externalsenderip
May 10 08:39:41 s=200 m=1 x=200-1 mod=spam cmd=run score=74
May 10 08:39:41 s=200 m=1 x=200-1 mod=mail cmd=msg rule=pass action=continue attachments=0 rcpts=1 hops-ip=ipaddress subject="My email subject"

0 Karma
Reply

niketn
Legend
‎05-11-2017 03:25 AM

Once correlated you should have only one value for action, subject and score for each combination of x and s (which are composite key in this case)

   | stats count as eventcount, values(action) as action, values(subject) as subject, values(score) as score dc(action) as actioncount by x, s 
   | search action="continue"
   | table subject action score
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

dmenon84
Path Finder
‎05-11-2017 07:36 AM

I have some cases where subject is same but x,s and score are different. It would be nice to be able to group by subject , sender etc . I have done this using transaction but with stats I am not having much luck.

2a9a93527r 2a9a93527r-1 4 continue RE: more space 43 1
2a9a9352m4 2a9a9352m4-1 4 continue RE: more space 45 1

0 Karma
Reply

DalJeanis
Legend
‎05-10-2017 08:33 AM

Yes, aggregate clauses in splunk (like stats values(x)) do not require every event to have field x, it just counts, aggregates, averages, or lists the values that are there, for all records that have the same values in the fields in the by clause.

Since subject is only in one record, you'll want to move it out of the by clause in with the aggregate clauses.

| stats count as eventcount, list(action) as action, list(subject) as subject, list(score) as score dc(action) as actioncount by x, s
0 Karma
Reply

dmenon84
Path Finder
‎05-10-2017 12:18 PM

Thanks that worked well. I just added a where clause at end to see only the ones that were continued 

 | stats count as eventcount, list(action) as action, list(subject) as subject, list(score) as score dc(action) as actioncount by x, s | where action="continue"

Now I am trying to group by subject , can you please guide on that as well. I want to group by subject and want to see only columns
subject action score

0 Karma
Reply

cmerriman
Super Champion
‎04-05-2017 12:59 PM

try editing the startswith/endswith and add an mvlist to keep the events in stats in the right order.

index=myindex (action=discard OR action=continue ) | transaction x s keepevicted=true startswith=eval(match(action,"continue")) endswith=eval(match(action,"discard")) mvlist=t | search subject=* | stats list(action) AS action, dc(action) AS actioncount by subject | where actioncount=2

or try this:

index=myindex (action=discard OR action=continue )|sort 0 x s + _time |streamstats window=1 current=f values(action) as previousAction by x s| stats values(action) as action values(previousAction) as previousAction values(x) as x values(s) as s by subject |search action="discard" previousAction="continue"
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...