Getting Data In

Transaction Command: Determine Outliers/Mismatches Only

Path Finder

I am using the transaction command in Splunk to group the events of an identical log file across two hosts. Essentially, the field=value pairs across both hosts should be identical at all times. From time to time, issues can issue that cause the two hosts to become out of sync. I'd like to have a search that only identifies transactions where the field=value pairs do not match exactly. What would be the best way to accomplish this?

For instance, using the search below groups the log files from multiple hosts into a single transaction by second.
"searchterm" source="mylog.log" | transaction field maxspan=1s

I want to only return events with the below pattern (mismatches)
2020-01-10 17:30:00,348 INFO field=true
2020-01-10 17:30:00,351 INFO field=false

But ignore events with this pattern (identical)
2020-01-10 17:30:00,348 INFO field=true
2020-01-10 17:30:00,351 INFO field=true

Or this pattern (identical)
2020-01-10 17:30:00,348 INFO field=false
2020-01-10 17:30:00,351 INFO field=false

0 Karma

Ultra Champion
"searchterm" source="mylog.log" 
| streamstats time_window=1s dc(field) as flag
| where flag >1

how about this?

0 Karma
Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...