Hi,
Very new to splunk and dont even know what to search.
If you will see every customer if successfully process will write 2 events and if not only 1 event (Start)
How to find the customer which has only start event and not end event?
My log writes like below-
TIMESTAMP Customer1 Start
TIMESTAMP Customer1 End
TIMESTAMP Customer2 Start
TIMESTAMP Customer2 End
TIMESTAMP Customer3 Start
Like this:
| rex "(?<customer>\S+)\s+(?<state>Start|End)"
| streamstats count(eval(state="End")) AS sessionID BY customer
| stats dc(state) AS state_count values(state) AS states BY sessionID
| where states="Start" AND state_count=1
Here is one way to get a list of customers that have a start time but are missing end time:
| gentimes start=02/07/2017:00:00:00 end=02/07/2017:00:06:00 increment=1m
| rename starttime as _time | fields _time | appendcols [|makeresults|eval raw2=split("cust=Customer1 event=Start,cust=Customer1 event=End,cust=Customer2 event=Start,cust=Customer2 event=End,cust=Customer3 event=Start,cust=Customer9 event=Start",",") | mvexpand raw2 | eval _raw=raw2 | extract | fields - _raw raw2]
| stats earliest(_time) as StartTime latest(_time) as EndTime by cust
| where StartTime=EndTime
| fields - StartTime EndTime
This returns Customer3 and Customer9. All it does is check to see if the customer's max timestamp is the same as its min timestamp. It is a flexible way to avoid using the transaction
command.
Another method is to look for the number of events per customer ID. If there is only 1, it qualifies:
| gentimes start=02/07/2017:00:00:00 end=02/07/2017:00:06:00 increment=1m
| rename starttime as _time | fields _time | appendcols [|makeresults|eval raw2=split("cust=Customer1 event=Start,cust=Customer1 event=End,cust=Customer2 event=Start,cust=Customer2 event=End,cust=Customer3 event=Start,cust=Customer9 event=Start",",") | mvexpand raw2 | eval _raw=raw2 | extract | fields - _raw raw2]
| stats count by cust
| where count<2