Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

SPL query to group deployment config downloads

StephenD1
Path Finder
‎01-23-2026 08:46 AM

Currently I'm running the following SPL to confirm the UF downloaded a new config:

index=_internal sourcetype=splunkd (component IN (DeployedApplication, PackageDownloadRestHandler) OR (component=loader "Splunkd starting") OR "Restarting Splunkd")
| transaction host

This results in something like the following for each host. It's almost what I want but the Deployment Server events are grouped into their own transaction.

StephenD1_0-1769186240284.png

I would like the group all of the above together into one transaction to show the download started/completed event from DS in the same group for that UF.

I tried including the startswith/endswith with various combinations of the following including with and without a field in the transaction command

index=_internal sourcetype=splunkd (component IN (DeployedApplication, PackageDownloadRestHandler) OR (component=loader "Splunkd starting") OR "Restarting Splunkd") 
| transaction startswith="checksum mismatch" endswith="splunkd starting"

but this keeps grouping events from different UFs together.

Any suggestions would be appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎01-23-2026 02:36 PM

Hi @StephenD1 

Does something like this help?

index=_internal sourcetype=splunkd (component=DeployedApplication AND ("Checksum mismatch" OR "Installing")) OR (component=loader "Splunkd starting") OR "Restarting Splunkd" 
| rex field=app "(?<app>[^\.]+)\.?" 
| eval splunkStarting=IF(LIKE(_raw,"%Splunkd starting%"),1,0) 
| eval checksumMismatch=IF(LIKE(_raw,"%checksum mismatch%"),1,0) 
| stats values(app) as app, max(splunkStarting) as SplunkRestarted, count(checksumMismatch) as checksumMismatches by host

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎01-23-2026 02:36 PM

Hi @StephenD1 

Does something like this help?

index=_internal sourcetype=splunkd (component=DeployedApplication AND ("Checksum mismatch" OR "Installing")) OR (component=loader "Splunkd starting") OR "Restarting Splunkd" 
| rex field=app "(?<app>[^\.]+)\.?" 
| eval splunkStarting=IF(LIKE(_raw,"%Splunkd starting%"),1,0) 
| eval checksumMismatch=IF(LIKE(_raw,"%checksum mismatch%"),1,0) 
| stats values(app) as app, max(splunkStarting) as SplunkRestarted, count(checksumMismatch) as checksumMismatches by host

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...