Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to find all events not having a prior event

rune_hellem
Contributor
‎09-08-2020 10:04 AM

Today we had an issue in our production environment - a cluster did restart without a preceding command to restart. Now I want to search our logs to see if this has happened before without us realizing it. I have tried using the transaction command, but I am not sure if it will fix the for me.

We are running WebSpere and whenever a JVM is being started it will log an event like this

 

[9/8/20 8:54:10:653 CEST] 00000001 WsServerImpl  A   WSVR0001I: Server MinSideMember02 open for e-business

 

 If the restart was initiated by an administrator via the console or as a scheduled restart via a script, the following event will be logged 

 

[9/8/20 8:47:57:429 CEST] 000003b8 AdminHelper   A   ADMN1020I: An attempt is made to stop the MinSideMember02 server. (User ID = defaultWIMFileBasedRealm/wasadmin)

 

This is what I have tried (ref this answer)

 

index=production (e-business OR ADMN1020I) sourcetype="websphere:system:out" | transaction startswith="ADMN1020I" endswith="e-business" maxspan=15m |search eventcount=1

 

 But - no - it does find all "stop then started", but no the two "started without stopped"-events. 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-08-2020 11:53 AM

Add the keeporphans=true option to the transaction command.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

rune_hellem
Contributor
‎09-09-2020 06:51 AM

Did try 

index=production (ADMN1020I OR e-business) sourcetype="websphere:system:out" | transaction startswith="ADMN1020I" endswith="e-business" maxspan=15m keeporphans=true

but it does not capture te e-business without ADM10201-message 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...