Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find all events not having a prior event

rune_hellem
Contributor
‎09-08-2020 10:04 AM

Today we had an issue in our production environment - a cluster did restart without a preceding command to restart. Now I want to search our logs to see if this has happened before without us realizing it. I have tried using the transaction command, but I am not sure if it will fix the for me.

We are running WebSpere and whenever a JVM is being started it will log an event like this

 

[9/8/20 8:54:10:653 CEST] 00000001 WsServerImpl  A   WSVR0001I: Server MinSideMember02 open for e-business

 

 If the restart was initiated by an administrator via the console or as a scheduled restart via a script, the following event will be logged 

 

[9/8/20 8:47:57:429 CEST] 000003b8 AdminHelper   A   ADMN1020I: An attempt is made to stop the MinSideMember02 server. (User ID = defaultWIMFileBasedRealm/wasadmin)

 

This is what I have tried (ref this answer)

 

index=production (e-business OR ADMN1020I) sourcetype="websphere:system:out" | transaction startswith="ADMN1020I" endswith="e-business" maxspan=15m |search eventcount=1

 

 But - no - it does find all "stop then started", but no the two "started without stopped"-events. 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-08-2020 11:53 AM

Add the keeporphans=true option to the transaction command.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

rune_hellem
Contributor
‎09-09-2020 06:51 AM

Did try 

index=production (ADMN1020I OR e-business) sourcetype="websphere:system:out" | transaction startswith="ADMN1020I" endswith="e-business" maxspan=15m keeporphans=true

but it does not capture te e-business without ADM10201-message 

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Instant Security Insights from Amazon S3 with Splunk Cloud — Try Federated ...

Availability: Must be on Splunk Cloud Platform version 10.1.2507.x to view the free trial banner. If you are ...

What's New in Splunk Observability - November 2025

What's New We’re excited to announce the latest enhancements to Splunk Observability Cloud and ...

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Hi friends!    At Splunk, your product success is our top priority. With Enterprise Security (ES), we're here ...