Archive

Search String for all users that have two particular Jboss messages

New Member

Here is my original Jboss search string variables:

index=bob
CLASS="bobclass"
MESSAGE="bobmessage1"
MESSAGE="bobmessage2"
TRANSACTION

I am trying to make a dashboard that will show me the results when a user gets two particular jboss messages within the same transaction. I am thinking about starting the search on the CLASS, sort by TRANSACTION and if both MESSAGEs are in the particular TRANSACTION then that will count as a successful user transaction.

index=bob CLASS="bobclass"|sort by TRANSACTION

But from here I am at a loss how to sort it out.

0 Karma

Revered Legend

Give this a try

index=bob CLASS="bobclass" MESSAGE="bobmessage1" OR MESSAGE="bobmessage2" TRANSACTION
| stats values(MESSAGE) as MESSAGE by TRANACTION userFieldName | where mvcount(MESSAGE)=2
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!