Archive
Highlighted

Tracking of particular field

Path Finder

I have two fields from them I want to track particular one field with starting of this & ending of that value. For that, I have written as shown below. Is any correction needed?

| transaction abc xyz startswith=(xyz="something") endswith=(csuristem="anything") maxspan=1s

Here currently I have added maxspan=1s but I want to check immediate next event with anything value which may occur before 1s.
I want to focus on only immediate next event from abc.

Another question is: Here I am tracking only one value. But how can I track field value in both the field. share any eg.

Tags (1)
0 Karma
Highlighted

Re: Tracking of particular field

Influencer

Have you checked the

maxevents
Syntax: maxevents=<int>
Description: The maximum number of events in a transaction. If the value is negative this constraint is disabled.
Default: 1000

That with value 2 will get you the immediate next event with abc value.

0 Karma
Highlighted

Re: Tracking of particular field

Path Finder

| transaction abc xyz startswith=(xyz="something") endswith=(xyz="anything") maxevents=2

If I am adding maxevents then it will match xyz's starting & ending value also?

After matching xyz value it will go further & check maxevents for abc field?

0 Karma
Highlighted

Re: Tracking of particular field

Influencer

Yes.

Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.