Getting Data In

How to find all events not having a prior event

rune_hellem
Contributor

Today we had an issue in our production environment - a cluster did restart without a preceding command to restart. Now I want to search our logs to see if this has happened before without us realizing it. I have tried using the transaction command, but I am not sure if it will fix the for me.

We are running WebSpere and whenever a JVM is being started it will log an event like this

 

[9/8/20 8:54:10:653 CEST] 00000001 WsServerImpl  A   WSVR0001I: Server MinSideMember02 open for e-business

 

 If the restart was initiated by an administrator via the console or as a scheduled restart via a script, the following event will be logged 

 

[9/8/20 8:47:57:429 CEST] 000003b8 AdminHelper   A   ADMN1020I: An attempt is made to stop the MinSideMember02 server. (User ID = defaultWIMFileBasedRealm/wasadmin)

 

This is what I have tried (ref this answer)

 

index=production (e-business OR ADMN1020I) sourcetype="websphere:system:out" | transaction startswith="ADMN1020I" endswith="e-business" maxspan=15m |search eventcount=1

 

 But - no - it does find all "stop then started", but no the two "started without stopped"-events. 

Labels (1)
Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Add the keeporphans=true option to the transaction command.

---
If this reply helps you, Karma would be appreciated.
0 Karma

rune_hellem
Contributor

Did try 

index=production (ADMN1020I OR e-business) sourcetype="websphere:system:out" | transaction startswith="ADMN1020I" endswith="e-business" maxspan=15m keeporphans=true

but it does not capture te e-business without ADM10201-message 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...