Splunk Dev

Problem with filtering on events important for a transaction

mrbaisgard
New Member

I am having two types of events that I am interested in - one that says something about usage flows of a mobile app, the other if the app has crashed. I would like to find what type of usage patterns that leads into a crash x minutes before the crash happens - for all crashes.

In order to do so I have this query to see usage 5 mins prior to crash log is uploaded:
my_indexes type=some_mobile_brand [search my_indexes type=some_mobile_brand SM_C.key=CrashUploaded | fields userId] | transaction userId endswith=CrashUploaded maxspan=5m | stats values(userpattern)

Now, I have a problem that after a crash it takes some time before the CrashUploaded metric is sent and I would like to filter out userpatterns AFTER the crash but BEFORE the CrashUploaded metric got sent.

In all events there are a sessionId that is distinct for each active session (only changes when the app restarts). So I need to be able to filter out all userpatterns that has the same sessionId as the CrashUploaded event. However, I am unable to find a good way of doing it without also filtering out the CrashUploaded metric.

Any way I could keep the CrashUploaded event, but filter out all events with the userpattern value with the same sessionIds as the CrashUploaded events?

Tags (1)
0 Karma

livehybrid
Builder

There are possibly a couple of ways of doing this, however I think you could start by searching for crashes, taking the sessionId and then searching all activity for that sessionId:

Looking at the query you have above, it looks like you might already be taking this approach but using the userId instead of sessionId ? Perhaps I got the wrong end of the stick?

0 Karma

mrbaisgard
New Member

By "filtering out" I mean removing 🙂 I understand it was confusing. What I want to end up with are the user actions where sessionId!=(sessionId of CrashUploaded events)

0 Karma

livehybrid
Builder

Ah okay, If you want to exclude sessions where the app crashed then I think the below might help?

my_indexes type=some_mobile_brand NOT [search my_indexes type=some_mobile_brand SM_C.key=CrashUploaded | fields userId] | transaction userId maxspan=5m | stats values(userpattern)

0 Karma

mrbaisgard
New Member

Not totally there yet as this gives me all user actions that did not end with a crash - but what I want is all user actions that ended with the crash (restart of the app), but exclude the user actions that happened after the crash to when the event with field CrashUploaded was sent.

0 Karma

mrbaisgard
New Member

I believe I found the way to do this:

my_indexes type=some_mobile_brand [search my_indexes type=some_mobile_brand SM_C.key=CrashUploaded | fields userId] NOT ( [search my_indexes type=some_mobile_brand SM_C.key=CrashUploaded | fields sessionId] AND SM_C.key!=CrashUploaded)| transaction userId maxspan=5m | stats values(userpattern)

0 Karma

mrbaisgard
New Member

Thanks, but I see I might not have been totally clear. What you suggest would give me the user activity AFTER the app has restarted. What I want is ONLY the user activity BEFORE the app restarts, so I want to exclude user activity where the sessionIds are the same as CrashUploaded.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...